Jostif/htb-writeups

# glish. So, for "Windows — Active Directory", I can translate it as "Windows — Active Directory" in Chinese context, but that seems redundant. I should translate the phrase to Chinese while keeping the nouns. For example, "Windows 与 Active Directory" or simply "Windows Active Directory". But the dash might indicate a relationship, like "Windows Active Directory" which is a specific thing. In many cases, "Active Directory" is used as is in Chinese. J0stif 的 HackTheBox 机器渗透记录。 包含方法论、命令和技术的完整过程记录。 ## 机器索引 ### I recall that in Chinese IT contexts, "Windows" and "Active Directory" are often kept in English. So, the translation might be "Windows — Active Directory" with the dash, or "Windows 和 Active Directory". But to be precise, I'll keep the nouns in English and translate any other parts. | 机器 | 难度 | 技术 | 用户 | Root | 记录 | |---|---|---|---|---|---| | [十八](./Eighteen/) | 🟢 简单 | CVE-2025-8110 (Gogs RCE), BadSuccessor, dMSA 滥用 | ✓ | ✓ | [→](./Eighteen/README.md) | | [TombWatcher](./TombWatcher/) | 🟡 中等 | Kerberoasting, gMSA, AddSelf, ForceChangePassword, WriteOwner, 已删除对象恢复, ESC15, 注册代理滥用 | ✓ | ✓ | [→](./TombWatcher/README.md) | | [Cicada](./Cicada/) | 🟢 简单 | SMB 来宾访问, 密码喷射, 备份操作员, SeBackupPrivilege, secretsdump | ✓ | ✓ | [→](./Cicada/README.md) | | [EscapeTwo](./EscapeTwo/) | 🟢 简单 | ADCS ESC4→ESC1, MSSQL | ✓ | ✓ | [→](./EscapeTwo/README.md) | | [Support](./Support/) | 🟢 简单 | SMB, LDAP, 逆向工程, RBCD | ✓ | ✓ | [→](./Support/README.md) | | [Overwatch](./Overwatch/) | 🟡 中等 | SMB, WCF/SOAP 注入, DNS 投毒, AD | ✓ | ✓ | [→](./Overwatch/README.md) | ### Windows — 独立系统 | 机器 | 难度 | 技术 | 用户 | Root | 记录 | |---|---|---|---|---|---| | [Unika](./Unika/) | 🟢 简单 | LFI, NTLMv2, Hashcat | ✓ | ✓ | [→](./Unika/README.md) | | [Timelapse](./Timelapse/) | 🟢 简单 | SMB, PFX, LAPS | ✓ | ✓ | [→](./Timelapse/README.md) | ### The heading has "—", which is a punctuation mark. In Chinese, similar punctuation is used. So, perhaps I can keep it as is. | 机器 | 难度 | 技术 | 用户 | Root | 记录 | |---|---|---|---|---|---| | [Browsed](./Browsed/) | 🟡 中等 | Chrome 扩展, Bash 算术注入, SSRF, pyc 劫持 | ✓ | ✓ | [→](./Browsed/README.md) | ## 即将发布（等待退役） | 机器 | 难度 | 技术 | |---|---|---| | Logging | 🟡 中等 | Shadow Credentials, ADCS ESC1, DLL 劫持, WSUS | | Garfield | 🔴 困难 | WriteDacl, RBCD, KeyList (RODC), SYSVOL | | Interpreter | 🟡 中等 | CVE-2023-43208, 反序列化, PBKDF2, eval() 注入 | ## 技术索引 | 技术 | 机器 | |---|---| | ADCS / ESC1 | EscapeTwo | | ADCS / ESC4 | EscapeTwo | | ADCS / ESC15 (CVE-2024-49019) | TombWatcher | | 注册代理滥用 (ESC3) | TombWatcher | | BadSuccessor / dMSA | 十八 | | CVE 利用 | 十八 (CVE-2025-8110), TombWatcher (CVE-2024-49019) | | Gogs RCE | 十八 | | Kerberoasting | TombWatcher | | gMSA 密码转储 | TombWatcher | | AddSelf ACE 滥用 | TombWatcher | | ForceChangePassword | TombWatcher | | WriteOwner | TombWatcher | | 已删除对象恢复 | TombWatcher | | SMB 枚举 | Support, Timelapse, Overwatch, Cicada | | 密码喷射 | Cicada | | 备份操作员 / SeBackupPrivilege | Cicada | | secretsdump (离线注册表文件) | Cicada | | LDAP 枚举 | Support | | 逆向工程 (.NET) | Support | | RBCD | Support | | LAPS | Timelapse | | PFX 破解 | Timelapse | | LFI | Unika | | NTLMv2 / Responder | Unika, Overwatch | | WCF / SOAP 注入 | Overwatch | | DNS 投毒 | Overwatch | | Chrome 扩展滥用 | Browsed | | SSRF | Browsed | | Bash 算术注入 | Browsed | | Python pyc 劫持 | Browsed | ## 方法论 每一篇记录都遵循相同的结构： ``` 1. Enumeration — nmap, service fingerprinting, web/SMB recon 2. Foothold — initial access vector 3. User flag — lateral movement or privilege escalation to user 4. Root/System — privilege escalation to root/SYSTEM 5. Key takeaways — what the machine teaches ``` ## 使用的工具 | 类别 | 工具 | |---|---| | 信息收集 | nmap, gobuster, feroxbuster, enum4linux-ng, smbclient | | AD 攻击 | impacket, certipy, bloodyAD, pywhisker, PKINITtools | | BloodHound | bloodhound-python, 自定义查询 | | Web | burpsuite, nuclei | | 密码破解 | hashcat, john, zip2john, pfx2john | | 后渗透 | evil-winrm, netexec, secretsdump | ## 相关仓库 - [ad-attack-chain](https://github.com/Jostif/ad-attack-chain) — 自动化 AD 攻击链 - [ad-lab](https://github.com/Jostif/ad-lab) — 本地 AD 实验环境，用于复现技术 - [nuclei-templates](https://github.com/Jostif/nuclei-templates) — 自定义 Web 漏洞模板 ## 作者 **J0stif** — 渗透测试员，漏洞赏金猎人 PNPT · PWPA · CEH · OSCP (进行中) · HTB CPTS (进行中) · HTB CWES (进行中) [HTB 主页](https://app.hackthebox.com/users/2209690) · [网站与记录](https://jostif.pages.dev) · [Twitter/X](https://x.com/J0stif)

标签：Active Directory, API接口, CISA项目, HackTheBox, LDAP, Plaso, SamuraiWTF, SMB, Terraform 安全, Web安全, XXE攻击, 云资产清单, 协议分析, 攻击技术, 机器破解, 权限提升, 网络安全, 蓝队分析, 解题记录, 逆向工具, 逆向工程, 错误配置检测, 隐私保护