DPAPI on 办公AI智能小助手 https://blog.qife122.com/tags/dpapi/ Recent content in DPAPI on 办公AI智能小助手 Hugo zh-cn qife Fri, 07 Nov 2025 11:36:26 +0800 HTB Voleur 渗透测试实战:从凭证泄露到域控提权 https://blog.qife122.com/p/htb-voleur-%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E5%AE%9E%E6%88%98%E4%BB%8E%E5%87%AD%E8%AF%81%E6%B3%84%E9%9C%B2%E5%88%B0%E5%9F%9F%E6%8E%A7%E6%8F%90%E6%9D%83/ Fri, 07 Nov 2025 11:36:26 +0800 https://blog.qife122.com/p/htb-voleur-%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E5%AE%9E%E6%88%98%E4%BB%8E%E5%87%AD%E8%AF%81%E6%B3%84%E9%9C%B2%E5%88%B0%E5%9F%9F%E6%8E%A7%E6%8F%90%E6%9D%83/ <h1 id="初始侦察">初始侦察</h1> <h2 id="端口扫描">端口扫描</h2> <p>Nmap扫描显示开放的TCP端口:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">oxdf@hacky$ nmap -p- -vvv --min-rate <span class="m">10000</span> 10.10.11.76 </span></span><span class="line"><span class="cl">PORT STATE SERVICE </span></span><span class="line"><span class="cl">53/tcp open domain </span></span><span class="line"><span class="cl">88/tcp open kerberos-sec </span></span><span class="line"><span class="cl">135/tcp open msrpc </span></span><span class="line"><span class="cl">139/tcp open netbios-ssn </span></span><span class="line"><span class="cl">389/tcp open ldap </span></span><span class="line"><span class="cl">445/tcp open microsoft-ds </span></span><span class="line"><span class="cl">464/tcp open kpasswd5 </span></span><span class="line"><span class="cl">593/tcp open http-rpc-epmap </span></span><span class="line"><span class="cl">636/tcp open ldapssl </span></span><span class="line"><span class="cl">2222/tcp open ssh </span></span><span class="line"><span class="cl">3268/tcp open globalcatLDAP </span></span><span class="line"><span class="cl">3269/tcp open globalcatLDAPssl </span></span><span class="line"><span class="cl">5985/tcp open wsman </span></span><span class="line"><span class="cl">9389/tcp open adws </span></span></code></pre></td></tr></table> </div> </div><p>域名为 <code>voleur.htb</code>,主机名为 <code>DC</code>。</p> HTB Puppy渗透测试实战:从初始凭证到域管理员权限提升 https://blog.qife122.com/p/htb-puppy%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E5%AE%9E%E6%88%98%E4%BB%8E%E5%88%9D%E5%A7%8B%E5%87%AD%E8%AF%81%E5%88%B0%E5%9F%9F%E7%AE%A1%E7%90%86%E5%91%98%E6%9D%83%E9%99%90%E6%8F%90%E5%8D%87/ Mon, 29 Sep 2025 16:31:46 +0800 https://blog.qife122.com/p/htb-puppy%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E5%AE%9E%E6%88%98%E4%BB%8E%E5%88%9D%E5%A7%8B%E5%87%AD%E8%AF%81%E5%88%B0%E5%9F%9F%E7%AE%A1%E7%90%86%E5%91%98%E6%9D%83%E9%99%90%E6%8F%90%E5%8D%87/ <h1 id="初始侦察">初始侦察</h1> <h2 id="端口扫描">端口扫描</h2> <p>使用nmap进行端口扫描,发现多个开放端口:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">oxdf@hacky$ nmap -p- --min-rate <span class="m">10000</span> 10.10.11.70 </span></span></code></pre></td></tr></table> </div> </div><p>关键开放端口包括:</p> <ul> <li>53/tcp - DNS</li> <li>88/tcp - Kerberos</li> <li>135/tcp - RPC</li> <li>139/tcp - NetBIOS</li> <li>389/tcp - LDAP</li> <li>445/tcp - SMB</li> <li>5985/tcp - WinRM</li> </ul> <h2 id="初始凭证">初始凭证</h2> <p>HackTheBox提供初始凭证:</p>