文章详细记录了一次针对Multimaster靶机的域渗透过程,包括信息搜集、端口扫描、SMB和RPC服务的检查、MSSQL注入发现数据库用户、MSSQL枚举域用户名、利用CVE-2019-1414漏洞和权限升级。最终通过服务路径劫持和权限滥用获取了系统权限。
AD-Multimaster
0x00 前言
本小白最近在学域渗透,决定把Hack The Box的Active Directory 101
系列域渗透靶机打完,并详细记录当中用到的工具、知识点及其背后的原理。本篇文章是该系列的第九篇,靶机名字为Multimaster,这是一台疯狂难度的靶机。
0x01 信息搜集
端口及服务扫描
nmap -sC -sV -p- 10.10.10.179 -T4 -oA nmap_multimaster
Nmap scan report for 10.10.10.179
Host is up (0.20s latency).
Not shown: 65513 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: MegaCorp
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-12-01 06:05:02Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGACORP)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: MEGACORP
| NetBIOS_Domain_Name: MEGACORP
| NetBIOS_Computer_Name: MULTIMASTER
| DNS_Domain_Name: MEGACORP.LOCAL
| DNS_Computer_Name: MULTIMASTER.MEGACORP.LOCAL
| DNS_Tree_Name: MEGACORP.LOCAL
| Product_Version: 10.0.14393
|_ System_Time: 2022-12-01T06:07:34+00:00
| ssl-cert: Subject: commonName=MULTIMASTER.MEGACORP.LOCAL
| Not valid before: 2022-11-30T05:24:52
|_Not valid after: 2023-06-01T05:24:52
|_ssl-date: 2022-12-01T06:08:13+00:00; +6m57s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49675/tcp open msrpc Microsoft Windows RPC
49678/tcp open msrpc Microsoft Windows RPC
49697/tcp open msrpc Microsoft Windows RPC
49706/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=12/1%Time=63884272%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: MULTIMASTER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1h42m57s, deviation: 3h34m40s, median: 6m56s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: MULTIMASTER
| NetBIOS computer name: MULTIMASTER\x00
| Domain name: MEGACORP.LOCAL
| Forest name: MEGACORP.LOCAL
| FQDN: MULTIMASTER.MEGACORP.LOCAL
|_ System time: 2022-11-30T22:07:34-08:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2022-12-01T06:07:38
|_ start_date: 2022-12-01T05:24:59
SMB信息搜集
crackmapexec smb 10.10.10.179 -u "" -p "" --shares
暂时在SMB上没有什么发现
RPC信息搜集
rpcclient -U "" 10.10.10.161
成功获得了一些用户名
Kerberos信息搜集
把获得用户名放入users.txt以备后续使用
./kerbrute_linux_amd64 userenum --dc 10.10.10.179 -d MEGACORP.LOCAL /root/HTB/multimaster/user.txt
然后我又尝试了通过一个较大的字典来枚举用户名
kerbrute_linux_amd64 userenum --domain megacorp.local /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt --dc 10.10.10.179
把获得的回显放入到test.txt文件中,并使用简单的shell命令过滤获得用户名(学会使用简单的shell命令,有助于优雅的渗透0.^)
cat test.txt | awk '{print $7}'|sed s/@megacorp.local$//g
把获得的这些用
最低0.47元/天 解锁文章
扫一扫
8861
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
