偵查

# Nmap 7.95 scan initiated Tue Oct  7 00:42:21 2025 as: /usr/lib/nmap/nmap --privileged -vvv -p 53,80,88,135,139,389,443,445,464,593,636,3268,3269,5985,9389,47001,49784 -4 -sC -sV -o scan_result.txt 192.168.102.187
Warning: Hit PCRE_ERROR_MATCHLIMIT when probing for service http with the regex '^HTTP/1\.1 \d\d\d (?:[^\r\n]*\r\n(?!\r\n))*?.*\r\nServer: Virata-EmWeb/R([\d_]+)\r\nContent-Type: text/html; ?charset=UTF-8\r\nExpires: .*<title>HP (Color |)LaserJet ([\w._ -]+)&nbsp;&nbsp;&nbsp;'
Nmap scan report for 192.168.102.187
Host is up, received syn-ack ttl 125 (0.066s latency).
Scanned at 2025-10-07 00:42:22 EDT for 70s

PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 125 Simple DNS Plus
80/tcp    open  http          syn-ack ttl 125 Apache httpd 2.4.48 ((Win64) OpenSSL/1.1.1k PHP/8.0.7)
|_http-server-header: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.7
| http-methods: 
|   Supported Methods: GET POST OPTIONS HEAD TRACE
|_  Potentially risky methods: TRACE
|_http-favicon: Unknown favicon MD5: FED84E16B6CCFE88EE7FFAAE5DFEFD34
|_http-title: Access The Event
88/tcp    open  kerberos-sec  syn-ack ttl 125 Microsoft Windows Kerberos (server time: 2025-10-07 04:42:28Z)
135/tcp   open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 125 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 125 Microsoft Windows Active Directory LDAP (Domain: access.offsec0., Site: Default-First-Site-Name)
443/tcp   open  ssl/http      syn-ack ttl 125 Apache httpd 2.4.48 ((Win64) OpenSSL/1.1.1k PHP/8.0.7)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost
| Issuer: commonName=localhost
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2009-11-10T23:48:47
| Not valid after:  2019-11-08T23:48:47
| MD5:   a0a4:4cc9:9e84:b26f:9e63:9f9e:d229:dee0
| SHA-1: b023:8c54:7a90:5bfa:119c:4e8b:acca:eacf:3649:1ff6
| -----BEGIN CERTIFICATE-----
| MIIBnzCCAQgCCQC1x1LJh4G1AzANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDEwls
| b2NhbGhvc3QwHhcNMDkxMTEwMjM0ODQ3WhcNMTkxMTA4MjM0ODQ3WjAUMRIwEAYD
| VQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMEl0yfj
| 7K0Ng2pt51+adRAj4pCdoGOVjx1BmljVnGOMW3OGkHnMw9ajibh1vB6UfHxu463o
| J1wLxgxq+Q8y/rPEehAjBCspKNSq+bMvZhD4p8HNYMRrKFfjZzv3ns1IItw46kgT
| gDpAl1cMRzVGPXFimu5TnWMOZ3ooyaQ0/xntAgMBAAEwDQYJKoZIhvcNAQEFBQAD
| gYEAavHzSWz5umhfb/MnBMa5DL2VNzS+9whmmpsDGEG+uR0kM1W2GQIdVHHJTyFd
| aHXzgVJBQcWTwhp84nvHSiQTDBSaT6cQNQpvag/TaED/SEQpm0VqDFwpfFYuufBL
| vVNbLkKxbK2XwUvu0RxoLdBMC/89HqrZ0ppiONuQ+X2MtxE=
|_-----END CERTIFICATE-----
|_http-server-header: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.7
| tls-alpn: 
|_  http/1.1
|_http-title: Access The Event
| http-methods: 
|   Supported Methods: GET POST OPTIONS HEAD TRACE
|_  Potentially risky methods: TRACE
445/tcp   open  microsoft-ds? syn-ack ttl 125
464/tcp   open  kpasswd5?     syn-ack ttl 125
593/tcp   open  ncacn_http    syn-ack ttl 125 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack ttl 125
3268/tcp  open  ldap          syn-ack ttl 125 Microsoft Windows Active Directory LDAP (Domain: access.offsec0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack ttl 125
5985/tcp  open  http          syn-ack ttl 125 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        syn-ack ttl 125 .NET Message Framing
47001/tcp open  http          syn-ack ttl 125 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49784/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
Service Info: Host: SERVER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: 0s
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 14811/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 33240/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 39346/udp): CLEAN (Failed to receive data)
|   Check 4 (port 17127/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time: 
|   date: 2025-10-07T04:43:21
|_  start_date: N/A

Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Oct  7 00:43:32 2025 -- 1 IP address (1 host up) scanned in 70.43 seconds

列舉

首先輸入 ip 到網址列，然後執行 dirsearch 去掃看看路徑
發現有上傳檔案的 /uploads/ 的 path
之後就是發現購買的頁面可以上傳檔案，想必就是上傳到 uploads
可以嘗試看看傳 PHP webshell ，但是會被擋掉
改 content-type 也一樣
所以這時候我就想到了 .htaccess 這個東西
可以把它上傳到 uploads 這樣就可以執行程式碼了

提權

上傳 .htaccess 後，伺服器會開始把指定副檔名（例如 .xxx）當成 PHP 解析，因此只要上傳一個同樣副檔名的 webshell，就能成功在伺服器端執行命令。
我透過這個方式拿到初步的反向連線，身分是 svc_apache。

接下來在系統中發現另一個帳號 svc_mssql，判斷它應該是 SQL 服務帳號。
進一步列舉 Active Directory 時找到對應的 SPN（Service Principal Name），代表它可被 Kerberos 要求服務票據。
在實際滲透流程裡，這種狀況可以嘗試從記憶體或憑證票據中取得雜湊，進行 Kerberoasting
破解成功後可利用該帳號進一步登入系統，達到橫向移動。

成功以 svc_mssql 進入系統後，檢查到它擁有一項特殊權限：SeManageVolumePrivilege。
這項權限在實際 Windows 環境中相當重要，因為它允許使用者對磁碟進行管理操作。
若未妥善設定或監控，便可能被濫用來寫入系統目錄或替換 DLL，最終提升為系統層級（NT AUTHORITY\SYSTEM）。

完成提權後即可存取管理員桌面的 Flag。