目录
简介
这台靶机虽然算简单,但是对首次接触Active Directory域渗透的我来说是比较难的。通过在网站发现的用户名构造字典利用kerberos协议枚举域内用户名,然后利用配置不当枚举域用户的密码,使用获取到的域用户和密码通过5985端口的远程管理服务登录域控主机获得域用户FSmith的Shell,接着使用提权辅助脚本发现域用户svc_loanmgr的密码,进而转储Administrator密码HASH,从而得到域管理员权限的Shell。
信息收集
端口扫描
使用nmap --min-rate 10000 -T5 -A -p1-65535 10.10.10.175扫描端口及服务发现开启的端口非常的多,如图:
Web信息收集
查看web服务各功能及源代码,未发现获得Shell的漏洞,网站时静态的,通过W3layouts生成,如图:
在About菜单下发现公司的一些人名,如图:
扫描网站目录也未发现有价值的线索,如图:
漏洞发现
枚举135端口无果,查看445端口的共享文件无果,然后看到88端口运行着kerberos服务,389端口和3268端口都运行着ldap服务,然后使用nmap -sV 10.10.10.175 --script ldap*.nse扫描ldap漏洞,结果如下:
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-31 09:53 EDT
Nmap scan report for 10.10.10.175
Host is up (0.36s latency).
Not shown: 989 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-03-31 20:53:13Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL, Site: Default-First-Site-Name)
| ldap-brute:
| root:<empty> => Valid credentials
| admin:<empty> => Valid credentials
| administrator:<empty> => Valid credentials
| webadmin:<empty> => Valid credentials
| sysadmin:<empty> => Valid credentials
| netadmin:<empty> => Valid credentials
| guest:<empty> => Valid credentials
| user:<empty> => Valid credentials
| web:<empty> => Valid credentials
|_ test:<empty> => Valid credentials
| ldap-rootdse:
| LDAP Results
| <ROOT>
| domainFunctionality: 7
| forestFunctionality: 7
| domainControllerFunctionality: 7
| rootDomainNamingContext: DC=EGOTISTICAL-BANK,DC=LOCAL
| ldapServiceName: EGOTISTICAL-BANK.LOCAL:sauna$@EGOTISTICAL-BANK.LOCAL
| isGlobalCatalogReady: TRUE
| supportedSASLMechanisms: GSSAPI
| supportedSASLMechanisms: GSS-SPNEGO
| supportedSASLMechanisms: EXTERNAL
| supportedSASLMechanisms: DIGEST-MD5
| supportedLDAPVersion: 3
| supportedLDAPVersion: 2
| supportedLDAPPolicies: MaxPoolThreads
| supportedLDAPPolicies: MaxPercentDirSyncRequests
| supportedLDAPPolicies: MaxDatagramRecv
| supportedLDAPPolicies: MaxReceiveBuffer
| supportedLDAPPolicies: InitRecvTimeout
| supportedLDAPPolicies: MaxConnections
| supportedLDAPPolicies: MaxConnIdleTime
| supportedLDAPPolicies: MaxPageSize
| supportedLDAPPolicies: MaxBatchReturnMessages
| supportedLDAPPolicies: MaxQueryDuration
| supportedLDAPPolicies: MaxDirSyncDuration
| supportedLDAPPolicies: MaxTempTableSize
| supportedLDAPPolicies: MaxResultSetSize
| supported